Overview

overview

10

Static

static

3

26d48282ec...44.exe

windows7-x64

10

26d48282ec...44.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 15:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe

  • Size

    128KB

  • MD5

    6b552e8f29852fc7406d07e98ecaf3df

  • SHA1

    baedb5362cf9208b48c6eeb1d81a5839d4f6ee4e

  • SHA256

    26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344

  • SHA512

    8ccf1c0e63319d6bd895d2f78ef9ac57be8f6f1992c9537d0c9687e27fc01e50f90b4aa39f6a5e81cc1d38638e84d5c0cf68abd6bb472a502ed8ab932c7c5c47

  • SSDEEP

    1536:52YN1nS9cCY6Vbs8P+TLtXBcGVyThYhqi0sWjcd2IS3FZBq2dks4QTg12A58AQpE:xNQDVQ8ujb1hh2IS3FZBaCgrQp0Mq

Score
10/10
gandcrabbackdoordefense_evasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\KRAB-DECRYPT.txt

Ransom Note
---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/118e3b62503bf278 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAHW8sD2jfxl0VLt/ypCXCmzffH+My8xltJTnmi8TSTJorS2+7fS9z+7xf3IOr9yc6N3vhVMB3zUMtDbBiAkjG1Z8YPFNrNfMUBhz81T+KpxgtTAFdVvA5LInfsNSn0sITif4DJNWg210aSCIr7hQbNVT7EQvu6ztWQTes0ZLjMIhaBisx067N7MgZPbK0XMJDISRSliGYX0iojD8OlvwqKrjQbgGAoAaif9pxfYXS5jrPYiUJjW/wARthovwIaTi5/tfDA5sFfGWHvALjhcVxxtyyY1dY6bteFq9rRbQz6jls96A2qt9P0+LPzD4YzRwTdTqll3eabV815xf4CkRP6atZ2b8BV8D5JusDDpNWNE1h4QjokJyneIrU1PgpKlC9bXVEbYSI5KIO1iLxZVmZQ94gR1ofG88FrXxOkSCsg/0TYsFIhDDdnIyaLaOPcmwXCf9C8b+hRLcGYehe5KbiD1HplYL+SGrWSUcqB7Sl7Q94t29xpQTNULsXk7s7+tK+f6G6HmvAv4P6okpftj+qwJyzpsjXKowYo4yPxFcNuWkAOoqd+wLXitSUQcwat6jrIRlP4JPjSvx05+kZVUFFjOTLdclcD8/xV/Swwf3RAL0aQmuVjbKs6Yzv42hGns9tVEuFOaHn9K2L3+YX4rycFV1DhGYMdb1WBMj3zdqst2alx1rh8YBKTOX8kl4Wan5uzzxBGZ7pFy7EkWs5nGXqhKDzAIF1rPOu4xmJi/r3hdns6sBYzdPq1s7GpdwEk52XN/4/ZpBzEFvX/NeQ7t6oib/FwjRvfbOXcX29ap+5xhL+ei4UrxYCUU6alaDd0AB9gGZtR74gfX04SeRIF8XT1LnEzKUDLEmwuN39DkBZeywG/RY0fyYJIDFWgGKwhhGsiLA5EIql0jYk9X/zSjfVqTLk56Rr/KWPO+0s4UxAmILhJlLwanIJ5VROskCFw/z3ZUDFP11PCvOxQuf9ybavlG+UpqjwTGot+WN78P9m/XtnrOTRv4UFeBewEhmX1x0oLxT203bxk56wmtnRbyeUtFxFknhTfvVsUUJv8whELskqDpLd6UpMdewb8Wi0vG21alGBHWzexv0+nJeV0ZZXAEqbxNLlGrigwwBo8mPhCywnplwcUsneAP0T7b0XW4Onf7rZt+0VxPObjrTr87nvtofC9vmyEaZG+LTPtqfyol2F5+uaUzkoAsKUun3vnLAQjI6kmr1p7jxzOMYS+f1QXIJptwLbhN5SHuRDX3EYUGzz9kvQj12sgFBqd2lkvJ5cvzWR+nd0tyZtRo34Ail1lj/TbUWWvR3aM7hAScdzUZkOPLMTpYHvVN628HE9meH2WyO2+tmCAxhfmm3kRtK2JfxR3RpoVfFfp1Hbe6UFlX6dzXGLSYfrij0mxyRoxrG4kTP951xpX4sli4mfkKemYSKrWDVY5xpDawvyyMVih+8GoiVV1NNUtbEwYgcHB0qJV57XNDtpcStmbXBZqQhDedbPl8jySEcaJJagpW/brFyYEJT4RHm9vG2HzlX+thKzuee76Zl9ooqKSo6VdxpYRDioVQ5qV+Y5dGkJu/w4pYGWak9pCr/KwiPhBTystnvsMTvL5VvNqxgoa+r9XtnxIZFwfA794YmnFzx7qcUAA46IoNDCe1Ili3L299k9M9iUHXx0WC1jiy6Il6MBNBFH04KevRyXXu5M6NwUsmEeNBdBSSwmlfIgm+VnhUwLc+kF4IFLZ1fffA26/PxhiY++jGjDFaQlbkzBMn0qKrFRm79XO3mBp7ji7ZWcopbqgFZM3YlALwyRC5bTNmuoF33X0X4NX4UUIkqWTsh1kA3u7iVvwb1/ekNcqBddvvZQb8beYwjnzGbxMJgFsVwGOY5t9yUwmP8Zsux3AcvdEuHw5S6E3/HY5fcl/iQJG1h39MNfYv3MEYtEAXYmH3/wrtxT9rCKf2bzQB3PDI2DDP7BX2hINz/yZjUeVa/zaz3r99PnaAjqpVjbke+4e9M8eC+SCceLocTjeOAcWrDeyh34Yt8Tjd5Cujv+LYQSOUxGWkQ+p5Qj8GHlD87oFElKmJvhK+hpwBYk/zWSs+c5Uxvc6HNfBR5dIuyfN39zoIGY8SO2G6i6CiWKZFWZb5tkoMga7IBHDwQvzTI6sAm7cwKVuzXW+TgHW3dxerP27tEwH0GhqP+4absExq9pW9tFO+AIjOlhHR98mJnYDMMVVtRHHIZpPFHPNkhY8gKuVy3ETPoDmwQxTA= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZRTo1RvHYH7nxWvbfATGCHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB4eKl/242ROslGolYalqBBiLtrRHVEYsb9ycQ4t64M6b3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pDxFM3vTLNOav1wIZMXQVRleKYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9XQ3DC2qZAEuDtLkioBZ9MNJGhHpcOfb/JRdkPsok9V+butLOnzJ/9bHYIh8sz7exPRettGP+Pbn3W/eJIXs9ebdQm9EZhJFLe2qhgw2mJLRMzwAtbfjn5E2ENiW4EkrJfTw== ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/118e3b62503bf278

Signatures

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (282) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe
    "C:\Users\Admin\AppData\Local\Temp\26d48282ecd99bf377fcfd2d1f8cc41cbdca7d645af7791e11f90a4ecbf9c344.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4920
    • C:\Windows\SysWOW64\wbem\wmic.exe
      "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4932
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2204

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\KRAB-DECRYPT.txt
    Filesize

    8KB

    MD5

    b34160e2a7754633abd7118cbde93cb9

    SHA1

    5d1a8745dbcd2c7319e77eee3d3c3ffcb1871574

    SHA256

    f6b9107040e8a7343f56464546e833973c50c413874f6f77fd80d069157345c6

    SHA512

    4d7487a032bf32f1d4f96d5d2e9bdd83965530ff245a2b9a733eaf430b358082fa9859a4052d7c5b6fa2925ea9cb75f63e4fa077a49712bf08a7fa8835fc2372

    Download Submit