Analysis

  • max time kernel
    44s
  • max time network
    31s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24-07-2024 17:10

General

  • Target

    bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe

  • Size

    291KB

  • MD5

    e6b43b1028b6000009253344632e69c4

  • SHA1

    e536b70e3ffe309f7ae59918da471d7bf4cadd1c

  • SHA256

    bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a

  • SHA512

    07da214314673407a7d3978ee6e1d20bf1e02f135bf557e86b50489ecc146014f2534515c1b613dba96e65489d8c82caaa8ed2e647684d61e5e86bd3e8251adf

  • SSDEEP

    6144:nSRCSpUtLz+/enihebWBUOP3yIhLVMmi0CtG7go+I:SUOEnNnHbmP3yIE3tGX

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\WMAJAIYOPI-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .WMAJAIYOPI The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/de1ecc019ba1eed3 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAFUwlgrknZET0EflmG+4ol/Nr5a44emj1fqeNvgOUir7fX3TmLh+dFjpunUHIfmEzUFjiFX5HYG8G5F0yylVB1CEOgUQyYlpwYxGoemC67PwSK4enswEmuOB0OKqMgshjC/wk9c1SSh3XCtNasFuOlPE9t1PhacgzMnZCz5+BavWaOCsGkimospro2fOeJDz4MR1QJysfZgdQohbfl3jjSaHHcKSF9PMRfARE0sYGXXhM5hOSDWG5vhugs4J1JM0KPoVXgd1HuH0fVOxbvnVa6UjFeTLZc7adRGIug6cFSiLWs4SHsuEO6pchttjk1hg0JUesA/aQR8cXPXR787Yl6WxpsQw5Sbnjk27CZmxtFfWWH7aG8AMs0FwlICxWYA3QBl1dDtTt1z7TPu/Ng8O2EzOqwpF0wx+AdkmxH9RnItlkWu/mDPgCc2RKjXQjuM+hCRjXs+j+e7lTHDtjvybX0Ibl+QX6Sf/Kji5AX0xyc784Y5lDAIYkkshf2G5buarmrfUnGhkOjbN6DBflOvubZmDuE4actyV9ca2woMd4OtDJWFBfHQDX/gvPVc1lKFPFjzkSrGMDHih44a2sywI+/y0u8tdH9M+tRBIJxc0mz3vi1ocLWiGIBlHNduPA9NrTuV6PfqgKHlOs35MK4id39CG83yOpQFCTllkpMqse0KYeMVU8At8nyxPJhNzvaPonkMSVrk7rnbRyWDz4DnXYST5t818YBimLAfIt5yD7qaZG9Y+88RNb2+4WujGi/QYBmQlPp+DyyksdcAcoRigah7KdXuEB91Kr0SvH+aKBkf3jrKzHkkAQAITb4DTBLl9Z2DBZnXTnQmO5MHnIG4Vug2bxPziNAddpaoFWeoN2l+FLB8QHTWMu0WARoX0u2VkDqelUvEoCW6Of3VH+mSItNfW2yxZXWffsSpfIxtaWK73Szqop+vL+9HWX0lt2YvRaDVZ+6kID88pwnBzeQXsBBtV4QvcR7hZOeY2IKWsmjdiQpRnIOWbDWl1lW96FKBqeUbgldVxX08K/I3erAjStCW4KY7k9tK0naLTkF1RH94tm5IeN/y8sz7HEw5OkUGUuLpRdOMRqtGhzlKQYCNptA3Z+7Vflyn+Ca06hAL+gJ+ttYsfU8YuYWkpWWBmD7pO9eUDvAkWs6LvcxDCcoC+wiO9tgczxfPFdz557b6gA67Xn0gekW3nN+0C9YL+wtQepmXCCPJb+dfo5NCx4qIUtx65QUnWNTOh3K67M8tfzKXa6jK5ly3BHNOjzbxOXstHbdmqKMAXO1Gm91c/fupyzE9LPMDQFbyP8yoEPuOQGug9WRThvEvk6PzWZ7GL+GCJhPlClYgCtgJs4XK15aZkNZ73kBb7T0KOlprClZUGMs4SgbSVzmQCsVhKKrM7gbWuaTS3TpBpXHHNG1VhkR5bPSpn/Cu6NCAfKUEPlJ25Xk5YI99LsBe6pzv4XRpFqS0czKcxRSjS3VJfICu4Resj35xhuOxdvJFnZKc3o13HRiWwWruiE4kyhJBFCbJtFwdmkcfgmXUyBlBugtq+i0Ab8e4aMdaQiL0N5Yei4RtTXsm93ijNCWxKOVdVsczpVw27sGHW5o/Fs0eTGGNq7uCMfSJV8tLAAflrqjilLCChovm9LWIwH53OMUwa85A7b6eaneeKYJYoiGcKdx4TYva5cMJWJICS8SeJspXKxOESOc8B24LpWSbQgmKI59hc8GyOfs8O+7AYZCkT8zMrDP/3ifc4j9Q5SqBJvevQ03GbuLMIdz+VkhbA/bhk3gs+eUicRsJW5EtbbCbUrB+uJx79fiAuKqIoyE+mKoONA+8nWhhJd1mJkbnaETtVp/1ZbQJ8IX2A+7xmCC/D7Lawd30FDl8Gyh/OO6kYpkltpCKiSjNrIkAIlT2ogEpvUYQBo3dSbk9G6xmMPIc17ahDN69CJ0ZhOP1O1RFzJiW8qU5erZr4YPf/072eRNUvCSRSHk5F+S7OyRgLQ68L0TYwaGXcNLINmoMC2n2oSTzzAfrdyVRRIj1ebfw43GrC7guOB6KkdiFXihrFI+amH1g8cBaWjl99tCLdKC45FXTs67NTguJC3b6bffzAIQ4u87BugVh+uczje0oK2XxS+xKlqKdIka/G+X6iMhHHa8DAiarDiWkDR7tQ1pbgjgj6fCVA0HUaylnHxFnH9oC82qtkou7ZzQNXvSuFVTVvzqxpNvwJVKVip4jCwCz2CLzwCVwZRoqPw2UOnas= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD59NfJKZDOAvOVouDERW3IKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNxjWLwyoIX95yRHFXKdMI+BkVChenio/1q0nJSZoF9ASQvO7zBnmOH7+ICDGAMpA6ikRTcVdPeY0xxSVSCWtLqJfNAEBnZq/8Y/R7W3ZLGYmdeRmkfYP43yqPNoLMfjU6OUr3FW3eYJTzTJsPa3LzN0u/ePSzqzhaApoTrFqJ2APDGx5ShdudroN1oL6iSVyumsqBlvYrwErtIyoS8P1ealKTmb7tl4f+xQgUywQ0y3b5AfuNxULW+jrLjawF/i8jPcKPSgg42AWKL+6QkSvCmihYFZEvlEvSMvAIPhkdQYIE31UkGdyf6MLZ1N1lk/l+RKezsE1XSZCurrb9dAPFyVb8p9LuwbtQnBcHCVpbDNEcisCbTRnJeaMEJwb9s0v1GWczfS3KIMDB/FzIH5qA== ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/de1ecc019ba1eed3

Signatures

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (275) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 33 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe
    "C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe"
    1⤵
    • Drops startup file
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4216
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1556
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:468
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WMAJAIYOPI-MANUAL.txt
    1⤵
      PID:1624
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4964

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • F:\$RECYCLE.BIN\WMAJAIYOPI-MANUAL.txt

      Filesize

      8KB

      MD5

      e0e9378f738a1c01caa214098b449ab2

      SHA1

      ed13c2aa3223c2c7c4c5f45ef5a65eff16329f43

      SHA256

      96324fc293382fcc0b35aac3b3b4ab990061fc1162240f10f0ed35e8cfa7a8c5

      SHA512

      2317251108b34c372a2b84242534e5e519a7a129de9191bf9e2709cdc2c1dc1e9da63e94905d01b1efdc77841bb19c00fed283f9cc21e8218d1f4980234ff4ab

    • memory/4216-1-0x00000000053D0000-0x00000000054D0000-memory.dmp

      Filesize

      1024KB

    • memory/4216-2-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/4216-456-0x0000000000400000-0x00000000052B3000-memory.dmp

      Filesize

      78.7MB

    • memory/4216-710-0x0000000000400000-0x00000000052B3000-memory.dmp

      Filesize

      78.7MB

    • memory/4216-712-0x00000000053D0000-0x00000000054D0000-memory.dmp

      Filesize

      1024KB

    • memory/4216-714-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/4216-713-0x0000000000400000-0x00000000052B3000-memory.dmp

      Filesize

      78.7MB