Overview

overview

10

Static

static

3

26d48282ec...44.exe

windows7-x64

10

26d48282ec...44.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 14:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe

  • Size

    128KB

  • MD5

    6b552e8f29852fc7406d07e98ecaf3df

  • SHA1

    baedb5362cf9208b48c6eeb1d81a5839d4f6ee4e

  • SHA256

    26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344

  • SHA512

    8ccf1c0e63319d6bd895d2f78ef9ac57be8f6f1992c9537d0c9687e27fc01e50f90b4aa39f6a5e81cc1d38638e84d5c0cf68abd6bb472a502ed8ab932c7c5c47

  • SSDEEP

    1536:52YN1nS9cCY6Vbs8P+TLtXBcGVyThYhqi0sWjcd2IS3FZBq2dks4QTg12A58AQpE:xNQDVQ8ujb1hh2IS3FZBaCgrQp0Mq

Score
10/10
gandcrabbackdoordefense_evasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\KRAB-DECRYPT.txt

Ransom Note
---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/c2313a9fae460b3a | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAFdDrHUYCSxAstNiTmfQMGlbdcAhtECGc1oxNTyJ513KE9M4OT0gJZPxSUXseNNcx79ODqWl7VsUl0VMzF7X2lIHccKw8eGr0vqv+fYBqQiCeZ/ULTHtR0Fi10qj0CXFg3DW74X7Da1soqzvm2CrDgYS3VH59smt+1YlHLZeR1ln8ZDSo7BDFkWks7/dlR0tDSYjnq4s5ByZSuAskkdivB4IDr4KUpXKL5IRLpxuziA/t78bqaHDg0jWqfFipU06mqkoD7YsdREGvg2AEGuXm1rLlV0syJikHmKCzettWfCpONfsu+Ue8SUuTodutAOPwif0lI78MOAUAoHY2odfbRvWuuYYGFEv5jz7szFU4DSHJau1arSIrIuORrktacQOalv+MFqzRYuvtgnMAGgeQzFhYMTnyUZTYoziNf4XO/lNmjEYqZYr0Tz6l/z64rSp8rtiuRPqQZQ8cyQ9XKrwOyv6thRPOdihswU+j4wt6rgDHxp4IkMqJUZFLQF0o+A8502GJ9LJewsAal74xm6r59yuAbNJAiES/f+vFf8mpMV+MWoTUSPxqctIi2Erazx48Q5UosmE0PXgfpHNjOrFPlJ0jZbpPshyFYjLKmterSGmaZVisecqBPvu2HNwUY7Yil4BYEflvJE9WgjLdPDkpatLgwieSWAGPsvq6RXEBkR1Nol1jp/pHnVWU30KjqRuIjAb/yt0kEe9vM5QZgIzbp4jq/z3BAPepbnXZOMjUtl3VWxMTWreh2GiRbTS9x6YGF5VNgJXLC7rznbtu2KxhCRHZqxUjfDM2Tkzu1NWFMIsaYzhSGxDYJSX4lLiGPWpmvR4ltZn+34JkNlsFLGVpNELZ8mhsuMTmwYiTK7Bacl+s0Pub+NLNGXCvLo2n5M2EE2j/ql6t7+AeSLNDFXpxB16ifjHxHzfhu17MWdlAca3hKXsJx3ynyukxcJ0EPnx88xT4GoiQ/QcOGXvWU4SWUVB+Q1gwzuN6Zwi22m6pwUlBQEOI/UTlYBHoB9L0gZZjMrWLW0DMpyFrgX6Bmh8Lc3jY1nBndCTQJwkwjbs6SQQRhcclQBcrZ9VWkWb0rXDaSoZRyy6lRCvh5SkJyaqTuzT4opPG/A/yKteJdhX0/LQygvqnT/DmVTrNz17dYVxA1U7d9oeOQ4TYvHKZ0sKkFCFIVW//YaVCyfLdDYuH/x6fOsaEZULuJt2Qd8UqVBNLvtKRFmnS5Pra1i9l95OCvGCpe/9W+IE7a5r+yUtri7i+fabpbAAHRoShccP4PpUGzvYRZkslIipjqtxy+Oe7XdkWepWgSzorQjKuJ2MD/6nBilAFsGj3GWfP77bIRV3F7RMGjZ3hi9xlraSXGPa7mS+1qLlBt9WNpxxH8MzWdb37rzgU/ktMNzf+v4NafZzbU9lHMPRamFDaLNfa6K5TYnJK53eqjYcgvHDXOueP1q4wvW4+yZTSVUzzksgSuCX6kPPDBd4t/OIKErwLDaxSEIHLGtr7MR4xd8BCkHEfs405IeI6SKNoIAeClOGpEg7PVkQwcYPaqfOeurIhb0ajIQGB/zyRnUQjUP3miVJ09QiR1YhAUbhNYYlIFWAY8N1Y6glQtcWtOK4cB/F29BY9uAREKWtFlFMQEG4njPYWTsqnGjCQWC4KiraG/CTrFlC+CvF81PRSpuPGphJsyO+fMjLeYimx/d3eLSRFWceHl0ZMyb0tHfiBvVwCyXoWyAwx9cvt2rardzwEIfwLulDH3IBAl8S+eIB9JG2WiKOwLMtz6Ut+Uik+Hyna/om/NXNV0TBB94CQDSQZhqBVIXpF74+bRIw02dAuoNPwfucKD2gBStNVsCBJobnbyek2pH0lbr4KndOqQfhUJVAHLWKq3IrFEpvtXw5iP5a5sHnMOeyBPgmzIfKpc2SB9ec0GOeYU9QhmaUQRR6rwm+LqpVS+0HWOoVYpfmvvVuRp7RqBFtnj5FHcTXmHVX1ceHG9jg6cBFO6YjwP65P0oReVI1NDdT7CwSNrBPXoPdGftoWiyrEZDxMGGo0fE7K/E4GPgi0EhExhaHMPPdG07VtGtrkuw5T3dQX8N/15mUGiB0ZQIxjDhpX794C61hsOYwiSmxFe322a21vnC3zxZJ5rKVIl6llAkHA7S8k8WJFrVism1JiI0ly4REQw0UubzK1CMcypa04uYP/YxqAPnHTCITGF8kMM/Tjp1MGGltyFvfcHT3nBBzQKf4Nvo6Ucp+JjbO6Zu6+Kg= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZfTpxRq3YT7npWrLfXTHSHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+BisLFwkUvB4eKn/zc2GOtwGopYOVqHBiHtrRGEEdob8CcE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg72Zi/pDhFJ3v3LOOar1w4ZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMbJHyHpoOar+NRZwP9okRV/rusrPFzMP9PnYCh9gzrewdRb9tHf+DbmDW4OIcXpReLdQo9FRha1KO2vpgy2mFLQkzlAtXfjb5QmECiQ== ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/c2313a9fae460b3a

Signatures

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (297) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 31 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 9 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe
    "C:\Users\Admin\AppData\Local\Temp\26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\SysWOW64\wbem\wmic.exe
      "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:808
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1124

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    b640e8c70c0b3c19fcd0b70996b842c3

    SHA1

    2ee73ddcc3d2f3629adab68432cd871fc8abcde9

    SHA256

    5c490703687c8aa8abb89b969ed6ccd95b20c5d6a9f72f3fd4cc38f4ca4fe5d1

    SHA512

    f312b353387244a2e28428b2f9bef520c4e1569fa21464c44433255e0568cf305d695a5b155b018889fb61f5afb207690a1b06e327aef8bf4fc47ac85e71d282

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    6d18e63697a325b865c8164b33b20350

    SHA1

    79c135c0d592c6f8dabcc619dc2293705e9888e3

    SHA256

    33f739708fce74537e95eb20500d99aaea2715c6dcf4e75c71b321ad63aa67cb

    SHA512

    642a8d73975d9bf31e7a5287196252bb5973a50b82fecda2f25aaa68b4d07994e4cc15131c79682918d70f61f17209c7ef51b0f2292dd2107a2f791d8ddc3b5f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    483dcc4c5a144795629a0e591212b2f0

    SHA1

    d0c7316f4e42a797fd238074c18b8bb829360d9a

    SHA256

    5174843828e3a3f4f712228263a5e6d0c5230f06bd56bb8cf80cc7637c792d21

    SHA512

    788525728df5ddd482cdc22a6ab991325762a0df2b1cd88cd4ec86133f9484596f727b7d5e45a34fd3d340432d00fe447e145da0542f1ad95b354b351c20a581

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar1D29.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\KRAB-DECRYPT.txt
    Filesize

    8KB

    MD5

    9e771420fd0c231aa08856b3c21a916b

    SHA1

    297371a948bd290d9a9667c902816943967152d3

    SHA256

    0d4b3b15765427945570acb2fbe69b3fd6c79654a8dcc6e8a753e72b27299291

    SHA512

    ab4f03d913c792cd61b1beaa87c59970d78231e968ea196b0631ef6e794a1510db3ecda2cc1f4723fe8d51896c8402ada477997db35d816032f1a2b56104fbe0

    Download Submit