Analysis
-
max time kernel
136s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 15:15
Static task
static1
Behavioral task
behavioral1
Sample
26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe
Resource
win10v2004-20240426-en
General
-
Target
26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe
-
Size
128KB
-
MD5
6b552e8f29852fc7406d07e98ecaf3df
-
SHA1
baedb5362cf9208b48c6eeb1d81a5839d4f6ee4e
-
SHA256
26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344
-
SHA512
8ccf1c0e63319d6bd895d2f78ef9ac57be8f6f1992c9537d0c9687e27fc01e50f90b4aa39f6a5e81cc1d38638e84d5c0cf68abd6bb472a502ed8ab932c7c5c47
-
SSDEEP
1536:52YN1nS9cCY6Vbs8P+TLtXBcGVyThYhqi0sWjcd2IS3FZBq2dks4QTg12A58AQpE:xNQDVQ8ujb1hh2IS3FZBaCgrQp0Mq
Malware Config
Extracted
C:\$Recycle.Bin\KRAB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/118e3b62503bf278
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (282) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe -
Drops startup file 2 IoCs
Processes:
26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\KRAB-DECRYPT.txt 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\503bf595503bf27b210.lock 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exedescription ioc process File opened (read-only) \??\H: 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened (read-only) \??\N: 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened (read-only) \??\Q: 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened (read-only) \??\S: 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened (read-only) \??\W: 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened (read-only) \??\Y: 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened (read-only) \??\Z: 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened (read-only) \??\G: 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened (read-only) \??\E: 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened (read-only) \??\I: 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened (read-only) \??\L: 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened (read-only) \??\O: 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened (read-only) \??\A: 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened (read-only) \??\K: 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened (read-only) \??\P: 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened (read-only) \??\R: 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened (read-only) \??\T: 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened (read-only) \??\U: 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened (read-only) \??\B: 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened (read-only) \??\M: 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened (read-only) \??\V: 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened (read-only) \??\X: 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened (read-only) \??\J: 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe -
Drops file in Program Files directory 16 IoCs
Processes:
26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exedescription ioc process File created C:\Program Files (x86)\KRAB-DECRYPT.txt 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened for modification C:\Program Files\SwitchExit.bmp 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File created C:\Program Files\KRAB-DECRYPT.txt 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File created C:\Program Files\503bf595503bf27b210.lock 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened for modification C:\Program Files\NewCheckpoint.mp4 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened for modification C:\Program Files\ProtectBackup.docx 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened for modification C:\Program Files\StopPublish.aif 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened for modification C:\Program Files\CompareSync.emf 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened for modification C:\Program Files\RestoreAssert.txt 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened for modification C:\Program Files\TraceSwitch.001 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File created C:\Program Files (x86)\503bf595503bf27b210.lock 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened for modification C:\Program Files\ConvertRead.mpv2 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened for modification C:\Program Files\CopyStart.emf 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened for modification C:\Program Files\DisableInstall.wvx 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened for modification C:\Program Files\PingImport.dib 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe File opened for modification C:\Program Files\UpdateMeasure.scf 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exepid process 4920 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe 4920 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe 4920 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe 4920 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4932 wmic.exe Token: SeSecurityPrivilege 4932 wmic.exe Token: SeTakeOwnershipPrivilege 4932 wmic.exe Token: SeLoadDriverPrivilege 4932 wmic.exe Token: SeSystemProfilePrivilege 4932 wmic.exe Token: SeSystemtimePrivilege 4932 wmic.exe Token: SeProfSingleProcessPrivilege 4932 wmic.exe Token: SeIncBasePriorityPrivilege 4932 wmic.exe Token: SeCreatePagefilePrivilege 4932 wmic.exe Token: SeBackupPrivilege 4932 wmic.exe Token: SeRestorePrivilege 4932 wmic.exe Token: SeShutdownPrivilege 4932 wmic.exe Token: SeDebugPrivilege 4932 wmic.exe Token: SeSystemEnvironmentPrivilege 4932 wmic.exe Token: SeRemoteShutdownPrivilege 4932 wmic.exe Token: SeUndockPrivilege 4932 wmic.exe Token: SeManageVolumePrivilege 4932 wmic.exe Token: 33 4932 wmic.exe Token: 34 4932 wmic.exe Token: 35 4932 wmic.exe Token: 36 4932 wmic.exe Token: SeIncreaseQuotaPrivilege 4932 wmic.exe Token: SeSecurityPrivilege 4932 wmic.exe Token: SeTakeOwnershipPrivilege 4932 wmic.exe Token: SeLoadDriverPrivilege 4932 wmic.exe Token: SeSystemProfilePrivilege 4932 wmic.exe Token: SeSystemtimePrivilege 4932 wmic.exe Token: SeProfSingleProcessPrivilege 4932 wmic.exe Token: SeIncBasePriorityPrivilege 4932 wmic.exe Token: SeCreatePagefilePrivilege 4932 wmic.exe Token: SeBackupPrivilege 4932 wmic.exe Token: SeRestorePrivilege 4932 wmic.exe Token: SeShutdownPrivilege 4932 wmic.exe Token: SeDebugPrivilege 4932 wmic.exe Token: SeSystemEnvironmentPrivilege 4932 wmic.exe Token: SeRemoteShutdownPrivilege 4932 wmic.exe Token: SeUndockPrivilege 4932 wmic.exe Token: SeManageVolumePrivilege 4932 wmic.exe Token: 33 4932 wmic.exe Token: 34 4932 wmic.exe Token: 35 4932 wmic.exe Token: 36 4932 wmic.exe Token: SeBackupPrivilege 2204 vssvc.exe Token: SeRestorePrivilege 2204 vssvc.exe Token: SeAuditPrivilege 2204 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exedescription pid process target process PID 4920 wrote to memory of 4932 4920 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe wmic.exe PID 4920 wrote to memory of 4932 4920 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe wmic.exe PID 4920 wrote to memory of 4932 4920 26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe wmic.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe"C:\Users\Admin\AppData\Local\Temp\26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe"1⤵
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4932
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2204
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\KRAB-DECRYPT.txtFilesize
8KB
MD5b34160e2a7754633abd7118cbde93cb9
SHA15d1a8745dbcd2c7319e77eee3d3c3ffcb1871574
SHA256f6b9107040e8a7343f56464546e833973c50c413874f6f77fd80d069157345c6
SHA5124d7487a032bf32f1d4f96d5d2e9bdd83965530ff245a2b9a733eaf430b358082fa9859a4052d7c5b6fa2925ea9cb75f63e4fa077a49712bf08a7fa8835fc2372