gandcrab | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware

max time kernel
149s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware

Score

10^/10

gandcrab backdoor ransomware spyware stealer

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\PEXSXU-MANUAL.txt

Family

gandcrab

Ransom Note

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .PEXSXU The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/77d4589c34950dc1 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAANzCBnSqNaLCzRyZWjPi5ExHOfzMZrhREPBfxbozUB3DqWAg+Lgu+s9rWNk6UHnOw7v2i9sJfbrIdr7Hz+xmo04sUulEQR02hQxZoASooWL6vspR3wCXU6LdwSHR/Rg5fCbacfU9Eo3abz5pl7vt/gUUte1ndJQ1bm8BAtiAT7SiUX/KY0wjkunWc9NtzQysFEofBYfKN6xLqVLp9SLj7ScYWjQzMiUew2MhqFAw3QIZE0mot88ZVpqDVQ0jEw02TZF+KYSotBgvIn6GLDerGCWafyNOqTxew6OSvr1bHd9a3ooKhsz5MY60crwnos0tx5SzYTNo3HDQOlmImO0qAGOWyHM4zBB9g6dSo0XVMEtWzBM+lRA/4qxaaYvsoGNJpH2OhTmzY7I7r3EsbySlWlAyGcyMKJNLmVIAek21i9Hlg1gcWe1Xwim3V+JkJkWQXMZja4lbA7o8NDReT7Oeg4YK8jh5T3jTxnVmOjS2cNM/LByXPDtzI9BE+BoxeVnuo8Omos1pU52sI4cqkBRf5+VRStHN35bVEp9wIs+5NW2xfppz1JTgmtpf5QjX4qJzp36k6U5dEn8bLpGnOEeW0WNUrYgIiVtOMXqp96P+l1QMBwYFATo5CduSS0mf/nGEwh5bigMq6IkRXC67yJWm2z0vy9Dj2GZ7k5pvoUEY1Z8FNIZrHgIUZd2pO/vNrQaKLJ6tZBY+oVkxLnUBDGGgDRgTSha/dUSASksyob7Yktr1etB6VSPhizy6/n0cFs4sY+F+s7FSOqsT8u+UC84drk8+EJ35iZVikBRxk/3Izz4M2uJ5gVD1MpN1UXkMjh8HHTnXM2nVfznbRoiosNOeOLqEI9Clg0sDu2fSdKGQnDMt5aAeMGqq3um/68wwQ4e+UTKGsrPjSnR9WFRo6JpxOotksCDKqS0KGF76/BO5SHh7mveQ4vVnh02EU2zsljH5/ZqQQFkaqOVH2/aAw3rBOZ0tshp3h2Umjl6eNh2lzgDxgyKLrqqAobfLcs6aa6UrWK9nmxv4dha3LUpnOQdGQ2fFnWuuE4evsP/5KTJhNOEm/2cQL7b3Iq+cC9mLLhwlM2TK34z8GdVvK5H2tH6wzpdFQscKGEkhhYGLX+mkwqB8ZX3TGLrWk5yt9p67kuAssa82tKh2Hhgbgg6OqaJAej5ylZmqTQyGlRR+qO2GeXFaHO8uNnK7squky4ZTVJRcc/NHsh8RUYlC+CbBRLGiCpVEENG9VbQCxR+WlUk+KUkieSWn5dOOyLKCOkDpQHYM+5JSVGtD72VWoIq/K7U9oq22Ln8uSMJKKK3NaDK8yH4t7JNEIG+khJKYbTyLx8O83PPOzYhXQd7OgRZtHSRCgEbZem0QYqABL7urjH19YHFoiRrQrRTIGuRsS6qQepyXpKUBl1Eo8QYyI5KZ1tnN+dtbMf4O4JJXVoD+se9MK7xbGqDbCiWx2yKIwzmnLo+cIYnn5/xcP3Y8EShZtaV2yXHqpVPztWLQG0L+MwMZDvK47O6l3xnUjhuKIavWx0Ho5I08K8KOnYwB34+fk5wYbDAhQZx+A8n6GKGORaPYBumvCfAVjxrKJt2BYSPEKLZVVsFlpQdgzUo0S1E43Q9OKNr/zfeOXY0YW8WI+694xSSQXhjJ/A8rixa+d1lOr66LFW9p0v/kp9uqOzlwyeo79xa6WKjbaS8Nr/HJaX+/AJlIxG+1tdT1NnxiV1F/VMzdCsWf5yW9ty0XL1PEa/SoCNpoYciwPUD1wDLI3ccsUE9vVQ4/iP9TnnYSklxuTEaxa9O4M4Jx6QT0G4Bj96ruw/a+5udWasW7WYZMwq6ihs4xGIc7mGiGyWrjsK+Rm6+B69A9jsxSzZ/jccsbxEqn0vb1SHjUjBuihBgngfe/M5uzNL2Hoj5T+v61jUwyaHNe97qHjSmocKwb6hdoRLPRNwfiU9sp9//2mEsZk8rPyutKzs7reyzrE120wbxJ1YJlvkcS+N6rDZdFNv4JEdPuvoBBWNPZ+eAsXUMrSMCn4mGwCunPailSqEvDlkwMUySQyQb8iDfnvuWCP8ds3kS1+VeGXw99/dmQvjeEujTtA4zjO5PVujIKmviIJeAh/jLQ2z+ncIVMPpbMZ9qH6vMtPgpaKyqBxlyC5hoQqPy+tzSDNwJ2MMgDmUHRydIso222UIQE3MZwNM1NDo/mVHpeyggvIElXXWVLWiMhddzv+uolJTKNT6LOQ8lhRiXc7cn5N+oM4dk= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD89MrJLpDRAu2VteDURXjIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJetAKBnBqqsY7R+i3OLGfmdeRiEeJP9zy/PMxLOfjWKP0r1BW4eYoT03JrPa/L0B0wffnS0ez96BFoTHFq52HPDCx6yhEudvoPVoM6iaVy+mvqAdvYbwBrtoypS8G1fylWTmU7qZ4Auw9gT+wK0yub5gfz9wpLQCj3bimwDPi8jPeKPiggI2bWKz+7QkWvC2ihYFfEuZEsyM4ANvhxNQXIE31UkGbyf6MN51c1gY/++QRe2kEznTbCqfrOdcnPBOVfcolLq8b/gmccCeV7bCGEZisVbSQnNiaPkJ9b5I041HXc2vSx6IODB3F1IH8qANwhkbcxMPGvnUSm+rK ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/77d4589c34950dc1

Signatures

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Renames multiple (261) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	GandCrab.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\PEXSXU-MANUAL.txt	GandCrab.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\34950a2c34950dc274.lock	GandCrab.exe

Executes dropped EXE 1 IoCs

pid	Process
2864	GandCrab.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	GandCrab.exe
File opened (read-only)	\??\E:	GandCrab.exe
File opened (read-only)	\??\H:	GandCrab.exe
File opened (read-only)	\??\I:	GandCrab.exe
File opened (read-only)	\??\R:	GandCrab.exe
File opened (read-only)	\??\V:	GandCrab.exe
File opened (read-only)	\??\B:	GandCrab.exe
File opened (read-only)	\??\J:	GandCrab.exe
File opened (read-only)	\??\X:	GandCrab.exe
File opened (read-only)	\??\Y:	GandCrab.exe
File opened (read-only)	\??\W:	GandCrab.exe
File opened (read-only)	\??\G:	GandCrab.exe
File opened (read-only)	\??\L:	GandCrab.exe
File opened (read-only)	\??\M:	GandCrab.exe
File opened (read-only)	\??\O:	GandCrab.exe
File opened (read-only)	\??\Q:	GandCrab.exe
File opened (read-only)	\??\T:	GandCrab.exe
File opened (read-only)	\??\U:	GandCrab.exe
File opened (read-only)	\??\A:	GandCrab.exe
File opened (read-only)	\??\K:	GandCrab.exe
File opened (read-only)	\??\N:	GandCrab.exe
File opened (read-only)	\??\P:	GandCrab.exe
File opened (read-only)	\??\S:	GandCrab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
49	raw.githubusercontent.com
50	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp"	GandCrab.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DismountNew.xltm	GandCrab.exe
File opened for modification	C:\Program Files\PublishSearch.ppsx	GandCrab.exe
File opened for modification	C:\Program Files\ShowUpdate.rar	GandCrab.exe
File opened for modification	C:\Program Files\SkipClose.ttf	GandCrab.exe
File opened for modification	C:\Program Files\SplitRepair.jpeg	GandCrab.exe
File created	C:\Program Files (x86)\PEXSXU-MANUAL.txt	GandCrab.exe
File opened for modification	C:\Program Files\ConvertPush.xltx	GandCrab.exe
File opened for modification	C:\Program Files\CopyApprove.xlt	GandCrab.exe
File created	C:\Program Files (x86)\34950a2c34950dc274.lock	GandCrab.exe
File opened for modification	C:\Program Files\SendCompare.ods	GandCrab.exe
File opened for modification	C:\Program Files\TraceImport.xltm	GandCrab.exe
File created	C:\Program Files\PEXSXU-MANUAL.txt	GandCrab.exe
File opened for modification	C:\Program Files\MoveUnprotect.potx	GandCrab.exe
File opened for modification	C:\Program Files\SwitchEnable.iso	GandCrab.exe
File opened for modification	C:\Program Files\WaitRestart.vsdx	GandCrab.exe
File opened for modification	C:\Program Files\PushWrite.wmv	GandCrab.exe
File opened for modification	C:\Program Files\SelectUnpublish.svgz	GandCrab.exe
File opened for modification	C:\Program Files\MoveSearch.temp	GandCrab.exe
File opened for modification	C:\Program Files\RestartProtect.odt	GandCrab.exe
File opened for modification	C:\Program Files\SearchInvoke.rtf	GandCrab.exe
File opened for modification	C:\Program Files\StartCompare.tif	GandCrab.exe
File opened for modification	C:\Program Files\UnregisterTest.tiff	GandCrab.exe
File created	C:\Program Files\34950a2c34950dc274.lock	GandCrab.exe
File opened for modification	C:\Program Files\ConvertRepair.avi	GandCrab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3720	2864	WerFault.exe	110

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	GandCrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GandCrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GandCrab.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 388373.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 288260.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
428	msedge.exe
428	msedge.exe
536	msedge.exe
536	msedge.exe
1384	identity_helper.exe
1384	identity_helper.exe
3492	msedge.exe
3492	msedge.exe
2864	GandCrab.exe
2864	GandCrab.exe
2864	GandCrab.exe
2864	GandCrab.exe
2660	msedge.exe
2660	msedge.exe
2660	msedge.exe
2660	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 4216	536	msedge.exe	81
PID 536 wrote to memory of 4216	536	msedge.exe	81
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 1968	536	msedge.exe	82
PID 536 wrote to memory of 428	536	msedge.exe	83
PID 536 wrote to memory of 428	536	msedge.exe	83
PID 536 wrote to memory of 4748	536	msedge.exe	84
PID 536 wrote to memory of 4748	536	msedge.exe	84
PID 536 wrote to memory of 4748	536	msedge.exe	84
PID 536 wrote to memory of 4748	536	msedge.exe	84
PID 536 wrote to memory of 4748	536	msedge.exe	84
PID 536 wrote to memory of 4748	536	msedge.exe	84
PID 536 wrote to memory of 4748	536	msedge.exe	84
PID 536 wrote to memory of 4748	536	msedge.exe	84
PID 536 wrote to memory of 4748	536	msedge.exe	84
PID 536 wrote to memory of 4748	536	msedge.exe	84
PID 536 wrote to memory of 4748	536	msedge.exe	84
PID 536 wrote to memory of 4748	536	msedge.exe	84
PID 536 wrote to memory of 4748	536	msedge.exe	84
PID 536 wrote to memory of 4748	536	msedge.exe	84
PID 536 wrote to memory of 4748	536	msedge.exe	84
PID 536 wrote to memory of 4748	536	msedge.exe	84
PID 536 wrote to memory of 4748	536	msedge.exe	84
PID 536 wrote to memory of 4748	536	msedge.exe	84
PID 536 wrote to memory of 4748	536	msedge.exe	84
PID 536 wrote to memory of 4748	536	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcaaf146f8,0x7ffcaaf14708,0x7ffcaaf14718
  2⤵
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4108 /prefetch:8
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6244 /prefetch:8
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5268 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3920

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1452

C:\Users\Admin\Downloads\GandCrab.exe
"C:\Users\Admin\Downloads\GandCrab.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2864
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet
  2⤵
  PID:2984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 1652
  2⤵
  - Program crash
  PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2864 -ip 2864
1⤵
PID:4972

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\PEXSXU-MANUAL.txt
1⤵
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2349886fcd08076af45d9ac4b213afb1

SHA1
b4b74fba0f554a1f1453e7b56e10c73e3ee99ec7

SHA256
3184e90047aceaddcb99115f476f3b525f21f4abce421cadba65e3c8560b930c

SHA512
938454a58abf0b243e63f6b8f9c31d4548a2790e73739cf016cbdb601cbf186277d9effbb51671584d77fba566f57eaccfd01614d91461d96d7ee6378222d6c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
d01be2bc277307bf760669a4f350a984

SHA1
64859376f5718ae3b4e6979a9f029ceaebf91fe4

SHA256
de4ea8f1d2393892282b2e5ed049c0817630e9350e541f75ac9e9dc832967d41

SHA512
a901a5b217e43b9553b2dd6edcafea6a97ad56ea0e94726e578e167409fb8218d7cd5b029788186a5ceacc2ea706f37a6d498ed6915d40e25e662501d02df94f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a14a70f3a6aa9e64dd4893f5a9facbdc

SHA1
afbae9d1b3ac65b5a21b8ebc09c3ff8a95238e06

SHA256
900bc7560f24d1c78db90f29c837e2602f0643fde23396919ff473d337dc6fd3

SHA512
e8172a2d28a24cdaa1ada7cfccb761f1affa0e78f5c39b5edef09caf72c8eb4f929fc86be535d9ba0d4d47316a5c693eb90916c84c3f5585d102754eafd02206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
48daf337adce91225c861d42def4587e

SHA1
289e5d2d4da9b999c4014369194251ca0574afcc

SHA256
e6b53cb674f594351996f3591affca807c4b7ce32d1b519c650178044bec8a47

SHA512
91ac1b4c4ff601dc37dc8c552df21de46659aa5a89cdf60eacc101f27da7fd2c6b7019cd0c21f470bd47487a4d7b206268d7062604d0268d53eee4e8521afdcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1df1ce2dbe37281cdc32e98fc243c0e4

SHA1
ee42c1ec781cd6d1c6d2b988d01bf105c3285f21

SHA256
404c8b9e4986e992c218028d8e5c117810cd2b30cdf5ed84998234abfbeae5ac

SHA512
37b658432aba07c537be9e0defdfd91c5345d98c1fd78dfeaabb21e4b4ae152bda29cdc0bdee9bc255f2c8f44b4850566bb7604d8345d7dc2521d87b0eb34df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
228b870d1006d04407557a6d9e98f06d

SHA1
25ae9c15ae0e099851f00b312c0f7bab6cedc7ec

SHA256
17c96164046fbb33abfac51ca51c85ca013b9ddb34c9845779ae8fec8bdbb322

SHA512
e60b2a3ecdddceb34828b53cdfc515c6091cc10f86d6e88df7433ae3e93ad4c4bfe250f4205d886b628399de73779e307bcff84d883b039b0a82963c6cec0888

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
743c3334b2cedf0feae12d20f96c20b3

SHA1
a299b68de959725aa1c8fe48f124a1bdf8242d0f

SHA256
5698b722ad285887840d93c5f20c7089eeb1c076533e11aba08f72f6942bba16

SHA512
313842acec9d6b78735d8a39522f706d2fe7e5d9768688e8253fd7eb9685e87d742741aec76dba69969a6c3a04c8ce8989b8d8c5682bcd48c0897db3733ce9f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
090a094b2a116ef9b32c18f85be65d4d

SHA1
1b0ee67368cbbe6c5946f14e3af20f364bb7a9ef

SHA256
8febebfc8933cfa75d85f586978d833a66579fecac34f30ab1e6901e931cfd98

SHA512
17ee428c19dfd2887396759c0e07124618f291be1635fdbf5de748502d1e399e1670d6aac17baa259c28ba3b3f9062d96ec2719d07725b165c406be738f0999d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a0f3.TMP

Filesize
1KB

MD5
1a0d79d9bcc2e54d9bd4ae221fe1f443

SHA1
ec861b08a816e4f54d6a9791499ef09f3daba4b0

SHA256
cb3293d4a9b33d3567487ddb173621a9e8ebcd355e1a75456735995a1ce62774

SHA512
22f622f59d90499cd33441aa0a0a9b31c45fa1810bbe33a6073523e998dc5c3736b3ccd4a8654764ec25a084780f1464f8ac8626ae16d4003494d95e5270863a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a6b38d8a341b8d8e1e89a3521fdd464a

SHA1
96da49eaa93cb9f0ab97ccf848b553d4b1a1166a

SHA256
4af0f81dc60e9b62b356ba18eef7e2ecdc339922df2437baa670e221a0715865

SHA512
08b48776597d52fd16b5c48a4c5816d94da181a06b335f1775646dcfec99189e5785ba6e748d1b8c0a5948b2302f82c72a0145dbddfcd15a3871fc1298a9e4d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c6b071260fcb243868919c858a12ecbf

SHA1
9987c3c95d02427a201549dd367ca3eae25e1d3c

SHA256
778b7a2183d2d134123235930b29eddb67229ab0e23c3c37016c9cb129087358

SHA512
c63d6eed0cebc05d6ddae60932de860a3a89234463fd8b4ac51a579abe1cde4b181c19d0cbcbc44aba5bb0d0c8c73d798bf1faf164432ce97a536566e94fe17b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 288260.crdownload

Filesize
292KB

MD5
64242db5c926b6d5e96db8afdffcb944

SHA1
0db9a5a599bb72cd1926a3ea8803fadb09e61567

SHA256
df9423ab7015d3d750a1e403bba55532f93f34d5b7f6ecd1c5c7d2dc3267014f

SHA512
ae4d8ccf449de25fd534e353acab43c059f965856a3760201b46b0a470289db52348b6cb524c9237928d54cde5562d39d80a57f0dfba3a42e162ee7ddf192350

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 388373.crdownload

Filesize
291KB

MD5
e6b43b1028b6000009253344632e69c4

SHA1
e536b70e3ffe309f7ae59918da471d7bf4cadd1c

SHA256
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a

SHA512
07da214314673407a7d3978ee6e1d20bf1e02f135bf557e86b50489ecc146014f2534515c1b613dba96e65489d8c82caaa8ed2e647684d61e5e86bd3e8251adf

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\PEXSXU-MANUAL.txt

Filesize
8KB

MD5
33c238859e5f24cb53acc5016c31b05e

SHA1
d11a363aaff5f521ef2ac495050329d078c18bc9

SHA256
52ae72a4c61387e99fefde7d4ecc84a7eef8288d047cdd71fcc3434f4f42ca7e

SHA512
0bc0180874b7b05093a0cc7194cc33b7b34fc7d31504aa7b78bbb50549c09419cd8e0a48f235a0420c6e61efa05556d1d45aed099d2a4c6647aa9fbf70e4ad98

Download Submit
memory/2864-938-0x0000000000400000-0x00000000052B3000-memory.dmp

Filesize
78.7MB

Download
memory/2864-951-0x0000000000400000-0x00000000052B3000-memory.dmp

Filesize
78.7MB

Download