Overview
overview
10Static
static
7BitchTits ...P].exe
windows7-x64
7WannaFartCry.exe
windows7-x64
3Wannashiturself.exe
windows7-x64
10big FAT ti...RE.exe
windows7-x64
10big fat se...re.exe
windows7-x64
1bitch man ...re.exe
windows7-x64
8bro what t...at.dll
windows7-x64
7cocksucker...L].exe
windows7-x64
7fart poopy...re.exe
windows7-x64
7fart weewe...re.exe
windows7-x64
10farting po...re.exe
windows7-x64
10farty poo ...re.exe
windows7-x64
10fuck you.exe
windows7-x64
7large peni...24.exe
windows7-x64
niggaware ...29.exe
windows7-x64
10pee poo pi...re.exe
windows7-x64
10retard ransomware.exe
windows7-x64
1Analysis
-
max time kernel
1791s -
max time network
1563s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20-07-2024 14:23
Behavioral task
behavioral1
Sample
BitchTits Ransomware [VIP].exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
WannaFartCry.exe
Resource
win7-20240704-en
Behavioral task
behavioral3
Sample
Wannashiturself.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
big FAT tits RANSOMWARE.exe
Resource
win7-20240704-en
Behavioral task
behavioral5
Sample
big fat sexy dildo poop ransomware.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
bitch man ransomware.exe
Resource
win7-20240708-en
Behavioral task
behavioral7
Sample
bro what the fuckkk ur seriously beliving that.dll
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
cocksucker ransomware [COOL].exe
Resource
win7-20240704-en
Behavioral task
behavioral9
Sample
fart poopy ransowmare.exe
Resource
win7-20240705-en
Behavioral task
behavioral10
Sample
fart weewee ransomware.exe
Resource
win7-20240708-en
Behavioral task
behavioral11
Sample
farting poop sex ransomware.exe
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
farty poo poo ransomware.exe
Resource
win7-20240705-en
Behavioral task
behavioral13
Sample
fuck you.exe
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
large penis ransomware 2024.exe
Resource
win7-20240704-en
Behavioral task
behavioral15
Sample
niggaware ransomware in 2029.exe
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
pee poo piss piss ransomware rare.exe
Resource
win7-20240705-en
Behavioral task
behavioral17
Sample
retard ransomware.exe
Resource
win7-20240705-en
General
-
Target
farting poop sex ransomware.exe
-
Size
190KB
-
MD5
2bebc43247cc29bc75e91f0f6f5eb05e
-
SHA1
b11e21dc35751a26fbc8304187b663ee3ae15676
-
SHA256
a1c01cc7189609f84e71d6758c5837fc118ce3d0ed05b009fc29d90e59cc6fd3
-
SHA512
ffc07134cb26836c245b2d3d2dfb4bad35d2893d72cf41f179fbc6aba31475fb727d0462ea2f77f7d31da5ce94930017ffa30d92ccbfdaf4f8144fc87f28440f
-
SSDEEP
3072:8hZQj6bmfjN9StAd1YO8sKI+Lj+dW4LBIxB+NK6AK89:56eNYI1YO89fnhgK6BY
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-2958949473-3205530200-1453100116-1000\GRTNMJFJ-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/e6da197513c00a4
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (277) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 2 IoCs
Processes:
farting poop sex ransomware.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\GRTNMJFJ-MANUAL.txt farting poop sex ransomware.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\13c074913c00a511c.lock farting poop sex ransomware.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
farting poop sex ransomware.exedescription ioc process File opened (read-only) \??\Y: farting poop sex ransomware.exe File opened (read-only) \??\I: farting poop sex ransomware.exe File opened (read-only) \??\L: farting poop sex ransomware.exe File opened (read-only) \??\Q: farting poop sex ransomware.exe File opened (read-only) \??\P: farting poop sex ransomware.exe File opened (read-only) \??\S: farting poop sex ransomware.exe File opened (read-only) \??\U: farting poop sex ransomware.exe File opened (read-only) \??\A: farting poop sex ransomware.exe File opened (read-only) \??\G: farting poop sex ransomware.exe File opened (read-only) \??\O: farting poop sex ransomware.exe File opened (read-only) \??\T: farting poop sex ransomware.exe File opened (read-only) \??\V: farting poop sex ransomware.exe File opened (read-only) \??\W: farting poop sex ransomware.exe File opened (read-only) \??\X: farting poop sex ransomware.exe File opened (read-only) \??\K: farting poop sex ransomware.exe File opened (read-only) \??\M: farting poop sex ransomware.exe File opened (read-only) \??\R: farting poop sex ransomware.exe File opened (read-only) \??\J: farting poop sex ransomware.exe File opened (read-only) \??\N: farting poop sex ransomware.exe File opened (read-only) \??\Z: farting poop sex ransomware.exe File opened (read-only) \??\B: farting poop sex ransomware.exe File opened (read-only) \??\E: farting poop sex ransomware.exe File opened (read-only) \??\H: farting poop sex ransomware.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
farting poop sex ransomware.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" farting poop sex ransomware.exe -
Drops file in Program Files directory 42 IoCs
Processes:
farting poop sex ransomware.exedescription ioc process File opened for modification C:\Program Files\ConvertFromInstall.mpv2 farting poop sex ransomware.exe File opened for modification C:\Program Files\RequestConvertTo.zip farting poop sex ransomware.exe File opened for modification C:\Program Files\RequestUnregister.xhtml farting poop sex ransomware.exe File opened for modification C:\Program Files\ResolveSave.AAC farting poop sex ransomware.exe File opened for modification C:\Program Files\StopEdit.mht farting poop sex ransomware.exe File created C:\Program Files (x86)\GRTNMJFJ-MANUAL.txt farting poop sex ransomware.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\GRTNMJFJ-MANUAL.txt farting poop sex ransomware.exe File opened for modification C:\Program Files\CompareNew.pps farting poop sex ransomware.exe File opened for modification C:\Program Files\SwitchOpen.htm farting poop sex ransomware.exe File opened for modification C:\Program Files\AddCopy.wmv farting poop sex ransomware.exe File opened for modification C:\Program Files\ApproveSwitch.xlsx farting poop sex ransomware.exe File opened for modification C:\Program Files\StopSwitch.wmv farting poop sex ransomware.exe File opened for modification C:\Program Files\UnprotectMerge.midi farting poop sex ransomware.exe File created C:\Program Files\GRTNMJFJ-MANUAL.txt farting poop sex ransomware.exe File opened for modification C:\Program Files\ConvertToUnregister.midi farting poop sex ransomware.exe File opened for modification C:\Program Files\ResetSwitch.easmx farting poop sex ransomware.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\GRTNMJFJ-MANUAL.txt farting poop sex ransomware.exe File opened for modification C:\Program Files\ConvertAdd.png farting poop sex ransomware.exe File opened for modification C:\Program Files\FormatWait.vdw farting poop sex ransomware.exe File opened for modification C:\Program Files\SuspendInvoke.001 farting poop sex ransomware.exe File opened for modification C:\Program Files\WatchRequest.vdw farting poop sex ransomware.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\GRTNMJFJ-MANUAL.txt farting poop sex ransomware.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\13c074913c00a511c.lock farting poop sex ransomware.exe File created C:\Program Files\13c074913c00a511c.lock farting poop sex ransomware.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\13c074913c00a511c.lock farting poop sex ransomware.exe File opened for modification C:\Program Files\InvokeStart.mp3 farting poop sex ransomware.exe File opened for modification C:\Program Files\ExportUnregister.xsl farting poop sex ransomware.exe File opened for modification C:\Program Files\GetReceive.js farting poop sex ransomware.exe File opened for modification C:\Program Files\ImportComplete.DVR-MS farting poop sex ransomware.exe File opened for modification C:\Program Files\InitializeEnter.rar farting poop sex ransomware.exe File opened for modification C:\Program Files\OpenConnect.mpp farting poop sex ransomware.exe File opened for modification C:\Program Files\RegisterFormat.3gp2 farting poop sex ransomware.exe File opened for modification C:\Program Files\UnprotectStep.ADT farting poop sex ransomware.exe File opened for modification C:\Program Files\DismountUninstall.php farting poop sex ransomware.exe File created C:\Program Files (x86)\13c074913c00a511c.lock farting poop sex ransomware.exe File opened for modification C:\Program Files\DisableResume.ppt farting poop sex ransomware.exe File opened for modification C:\Program Files\InvokeApprove.wdp farting poop sex ransomware.exe File opened for modification C:\Program Files\MountSwitch.bmp farting poop sex ransomware.exe File opened for modification C:\Program Files\ReceiveApprove.rtf farting poop sex ransomware.exe File opened for modification C:\Program Files\RemoveReceive.nfo farting poop sex ransomware.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\13c074913c00a511c.lock farting poop sex ransomware.exe File opened for modification C:\Program Files\CompareConnect.DVR-MS farting poop sex ransomware.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
farting poop sex ransomware.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 farting poop sex ransomware.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString farting poop sex ransomware.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier farting poop sex ransomware.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1588 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
farting poop sex ransomware.exepid process 2748 farting poop sex ransomware.exe 2748 farting poop sex ransomware.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1704 vssvc.exe Token: SeRestorePrivilege 1704 vssvc.exe Token: SeAuditPrivilege 1704 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
farting poop sex ransomware.execmd.exedescription pid process target process PID 2748 wrote to memory of 664 2748 farting poop sex ransomware.exe cmd.exe PID 2748 wrote to memory of 664 2748 farting poop sex ransomware.exe cmd.exe PID 2748 wrote to memory of 664 2748 farting poop sex ransomware.exe cmd.exe PID 2748 wrote to memory of 664 2748 farting poop sex ransomware.exe cmd.exe PID 664 wrote to memory of 1588 664 cmd.exe vssadmin.exe PID 664 wrote to memory of 1588 664 cmd.exe vssadmin.exe PID 664 wrote to memory of 1588 664 cmd.exe vssadmin.exe PID 664 wrote to memory of 1588 664 cmd.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\farting poop sex ransomware.exe"C:\Users\Admin\AppData\Local\Temp\farting poop sex ransomware.exe"1⤵
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1588
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5cc800b552237d7582dacdceeef47d09d
SHA16e4241c0706e07078eab38d9bc48763273a7d730
SHA2568b927a9e3984b9ae92b200061c556ca73382df2c66fde04b19edfdebbd59cea3
SHA5126681103785aba4b10ef2402ee98c7c5dac8b4038f203792ce086c09a4f23698a4d42c016f37ad0f5823757e6680a039a98f4b90474d1fe23fa92b198f992604a