Overview

overview

10

Static

static

3

26d48282ec...44.exe

windows7-x64

10

26d48282ec...44.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 15:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe

  • Size

    128KB

  • MD5

    6b552e8f29852fc7406d07e98ecaf3df

  • SHA1

    baedb5362cf9208b48c6eeb1d81a5839d4f6ee4e

  • SHA256

    26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344

  • SHA512

    8ccf1c0e63319d6bd895d2f78ef9ac57be8f6f1992c9537d0c9687e27fc01e50f90b4aa39f6a5e81cc1d38638e84d5c0cf68abd6bb472a502ed8ab932c7c5c47

  • SSDEEP

    1536:52YN1nS9cCY6Vbs8P+TLtXBcGVyThYhqi0sWjcd2IS3FZBq2dks4QTg12A58AQpE:xNQDVQ8ujb1hh2IS3FZBaCgrQp0Mq

Score
10/10
gandcrabbackdoordefense_evasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\KRAB-DECRYPT.txt

Ransom Note
---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/1809910ecc138465 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAADho3tFknEzEPwGlrWok5idyXYnEQdyD0Afs8GH0FssJKOUGOvvTJyxS1aUH2AJyPjC4+9jCJ/jiOnRlpAE0kYxqVSOAwgvkl81twzcXNmVVjkF+jidummEPw361rNry2Yokp6EoeMzKgqEPlVKtLTWLAYvz62UKdj9y9wn0ejTPp+fcrPc9rGMbl0BVt0VgNa6cCmJDmPZZRIYXCOZLwOCwSSr6n1tBQ9kKXrVEpKtyzUyrBYZF8LnNv4mVn90luz7tibDg5gz9U7rVBsHl0+Zn6gD6IdcczHm6Zeh7dMD5VB5TxbK1foVNjllWWQoJPRZzDuBPLmGu+Y1f3d9hoGd/P26AF8eUARUsLUZC7a3Ir0BXXRFs+zcnpoeQyPkJhjESEWsOy6CaqtqhU9aTCgsoFeH5mqE+rGs6tXTk/C2PEOEOvcrB00Ry4HGv78PWx64yy1EWzDK4P9rj53FpS+q3hEnQCpzeV07nA1kQl1kNPH7gdPzAQGI9WsRrDyRN91uYCsYs1pB235F8ADwkl9d4gyvZV1gqpDqTlhkklNMcbZM6puu0Ln5jMR8yTQNxKLlksuwAeouo9eHgHrqevojeEwKLjpxAWbnC7wtai8zUcDSMonAbselIeqMh6z/rRWarQamr1Rxi6c31uuyyiIt2zUnjuO4hfMu15gtY9L80sxCejbyuXtBYUj6BXkLEIW/OtcPpNzjARR1NevP7nE+NcryhXj2w3AA1642PWdCjLDoyGq0YF7Zjt8xcAC1qF4wI5Sz3+N5qIlmp4otwX/SwSfd4xV1/PKO0Ia+jIEwbGe5T1McCWXmQAHQt23B7SyHqsGE071Df7ngSqpJhwhv6ZKuwbA60DFydlmVJCuF6JUwOP2PR4LwfHsjnXvmlRQc/pklRQgQH6Fpcl3slu/j8zne999XHdptMpYyp4PK5tzIIvT3MpdnNACimg7h79wJ/fuJSuIVjENmlDFLRbgPrLeAaMETX4K9ifvOgk6ZxFCIQ/NBFwmibDcqMv9hepnD1en/nsypXSeRgXZ00fy79gUWB8mElgjPWOgUpgEGklI3Czd2gry18y7BVBFY5AcuG2UdlVrX9kfWZFlSxi4QpQ9OaxiMSvk1egCExbkMcPCfHjKfjUTH4HAWWgYiKeEj4eH7sND+L/Tr/dBIGXluftcAg3DbM+2N3NR/En74j9iZZXh+kMRHXQVJp9xgd5QFwy31LS7x5xQmsywV6zUxgloKPUUxkL7RdDVp7n4No+tv9BmVcmABYcfm6ylgsRmZkBWC6cInMiSmjfPXzIMz+kAlLq0uqJ9bgsefbCPwD7fB2yKpW8B4KQHcueuN/Gynfo3y0IxOU3remtuVb3fi9DjHwYK31WMhX3ydbMDP06wD5PyJSshhn2FG9h4gOp+0dmjt5JToUfl9KcvD4jNzCuO+D8QCw0Vn4qNtzirCiMIqHZdXQ9jmH1EZYkq0/STht27Z5MFwRSsPHIFQwS7fZLxCuclKf3B/WQnPwjxvoqtie35V/Na6UbJ1AtmBROPjqviUVg6aPorrGq14IwdeLG3S9b65+ZEpaQN/C5BuAHJf2aysVLxJXWgKabbKIcuiYMkAT2ybnIPI8fZiVq0pHrh6YUDx+7g8NwVQ5RSjQSeSYsBkDqF/PqKCwgb+jS5CUGwFR7fdnWtFs03hlIGJQFzjYb3qDYTG08U6ve5pfdxlsNsYwk5U7HxNB7TUAs44mLvvP99TF8Kmkvule3F65auR1YaaWXvk+N1E0RiSZfUwT2fDe/tBhgKwM69Loz65o76f5xOFNRiVKD8/URuZ0c3HpugD65c1XeyQoZRXVhvlP8coaKRn+HqXUMXzc/aUiTMrJA3wsN1Z66Ah9FI0EdxOAQkzfl95ivwJj9tjdza9VMu8mX+aZqNK/6FmtO7czwV6YB/z0zBzuHOg979AH3/foDxUHRUKGxp4iNFX4lMdMhPWa7fwAv+ulO8PKm1wkqihOye3+wEXfoqpLkvO/9AjzotSVB4H5CA5W90lvV9rGQzYeX99c93XOQpSctCpdUWrn05s0vSxD/yUuVT8Po6dKrsGB0MRBWIucTW4lAMUrs7nZfkYw0n0VmhHugtNawZzx2KWYRGZshRy5BAPGFgqjLXRCvPcZ/NtGdE6taTAcyokVvAHGDZPZepEMCTLBOXLRP074QrS9zwybGwt19N/stNkAozYbx2FExDTXJVyVdWexfnnVTkbKElFTR7Tpp6Y= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZVTp5RrXYS7nFWv7fdTHmHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi4rF6kUjB6eKt/2c2EetzGohYP1qCBiTtpRHSEd8bpCcE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg72Zi/pDhFJ3v3LOOar1w4ZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMbJHyHpoOar+NRZwP9okRV/rusrPFzMP9PnYCh9gzrewdRb9tHf+DbmDW4OIcXpReLdQo9FRha1KO2vpgy2mFLQkzlAtXfjb5QmECiQ== ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/1809910ecc138465

Signatures

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (272) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 13 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe
    "C:\Users\Admin\AppData\Local\Temp\26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:768
    • C:\Windows\SysWOW64\wbem\wmic.exe
      "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1812
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\KRAB-DECRYPT.txt
    Filesize

    8KB

    MD5

    eb82cb2ee12616e02655b1e341be5e31

    SHA1

    55f3e4513a37f65b3fee1589a415a4275d64194b

    SHA256

    1e06a4e8020ee11aa1c05c2905445d4525fcafd9daf9ca23fec4feb8d5a0b42a

    SHA512

    33b57ec238b28a18a40b08ddc65e224a7960f62552f996262a36e7e973a98f761d34e3b73c86474dfbb22143d5941173ceda4e261bc45089edd90f9607491781

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    bfa86fa3b6ef60416f37e03bde723f33

    SHA1

    bf625d408b720031318906cac538813aee753670

    SHA256

    7d1af6e9ff46cda17015912660ab5633885d4e6fbe5f531f42e1a28813a2f9e4

    SHA512

    11bf8eda18f3adc63a7d2236c10b0e64d75a02b4d6496dd015cafb18857f620cbcf08917ade16fd6ec1cfce336072d9063edabbec02680c96e57556a63269dae

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    5c52f4802df956b15c15addf1283496d

    SHA1

    1a0e679b877f7bcce59b273d53f66d58b58b6987

    SHA256

    393ee99725fcafbb644820675957c9088b4220c87f45d2a066701c933ef0bccb

    SHA512

    d2d50bcb8a167f767d0466824bb3807721adc2cff89990ac45004b0c8dfca0be0520deb564178ca7beed8ce2b573ae86613342744626792c0f946bcb1b3e6b25

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    ea7a8d819f14d54ed89480c6e22ea701

    SHA1

    77f44c4a0e7d9c7624ee0fefbc92df8fb84f60ff

    SHA256

    da73d8ce7473faf8cb86e25ede25295219d8d8e9a15444a481221e7102c48714

    SHA512

    a4a066b5f5bdc6ec166f527aa2bff75e992a51143f12eda51ab653e1b30acc942544669542a391dddd2feefffff89a9cf00f45742b4d341894c80e47b74e8414

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Tar151D.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    Download Submit