Analysis
-
max time kernel
44s -
max time network
31s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
24-07-2024 17:10
Static task
static1
Behavioral task
behavioral1
Sample
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe
Resource
win10-20240611-en
General
-
Target
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe
-
Size
291KB
-
MD5
e6b43b1028b6000009253344632e69c4
-
SHA1
e536b70e3ffe309f7ae59918da471d7bf4cadd1c
-
SHA256
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a
-
SHA512
07da214314673407a7d3978ee6e1d20bf1e02f135bf557e86b50489ecc146014f2534515c1b613dba96e65489d8c82caaa8ed2e647684d61e5e86bd3e8251adf
-
SSDEEP
6144:nSRCSpUtLz+/enihebWBUOP3yIhLVMmi0CtG7go+I:SUOEnNnHbmP3yIE3tGX
Malware Config
Extracted
F:\$RECYCLE.BIN\WMAJAIYOPI-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/de1ecc019ba1eed3
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (275) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 2 IoCs
Processes:
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\WMAJAIYOPI-MANUAL.txt bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\9ba1e93e9ba1eed2410.lock bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exedescription ioc process File opened (read-only) \??\O: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\Y: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\G: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\N: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\P: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\Q: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\T: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\U: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\W: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\V: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\A: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\B: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\E: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\H: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\I: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\K: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\S: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\X: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\J: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\L: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\M: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\R: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\Z: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe -
Drops file in Program Files directory 33 IoCs
Processes:
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exedescription ioc process File opened for modification C:\Program Files\EnableUse.mp2 bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\EnterRead.emf bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\UpdateMerge.M2V bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\UnprotectSubmit.gif bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File created C:\Program Files\9ba1e93e9ba1eed2410.lock bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\ClearStep.mht bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\CloseCheckpoint.pptm bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\EnableWrite.ogg bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\StepResize.otf bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\UnlockJoin.xps bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File created C:\Program Files (x86)\9ba1e93e9ba1eed2410.lock bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\EditSwitch.emf bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\EditSync.dwg bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\LimitRepair.svg bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\OptimizeImport.gif bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\SkipUse.jpe bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File created C:\Program Files (x86)\WMAJAIYOPI-MANUAL.txt bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\ConnectResume.txt bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\ExportSplit.wmf bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\RequestConvertTo.rmi bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\UninstallPing.dib bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File created C:\Program Files\WMAJAIYOPI-MANUAL.txt bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\ClearCheckpoint.docx bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\OptimizeGrant.shtml bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\OptimizeRevoke.vst bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\SendSet.xps bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\SplitMount.ttc bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\InstallBlock.pptx bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\LimitLock.odp bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\LockSet.ps1xml bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\OpenComplete.vbs bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\StartExpand.otf bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\ExportFind.mp4 bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.execmd.exevssadmin.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 468 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exepid process 4216 bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe 4216 bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe 4216 bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe 4216 bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 4964 vssvc.exe Token: SeRestorePrivilege 4964 vssvc.exe Token: SeAuditPrivilege 4964 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.execmd.exedescription pid process target process PID 4216 wrote to memory of 1556 4216 bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe cmd.exe PID 4216 wrote to memory of 1556 4216 bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe cmd.exe PID 4216 wrote to memory of 1556 4216 bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe cmd.exe PID 1556 wrote to memory of 468 1556 cmd.exe vssadmin.exe PID 1556 wrote to memory of 468 1556 cmd.exe vssadmin.exe PID 1556 wrote to memory of 468 1556 cmd.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe"C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe"1⤵
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:468
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WMAJAIYOPI-MANUAL.txt1⤵PID:1624
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4964
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5e0e9378f738a1c01caa214098b449ab2
SHA1ed13c2aa3223c2c7c4c5f45ef5a65eff16329f43
SHA25696324fc293382fcc0b35aac3b3b4ab990061fc1162240f10f0ed35e8cfa7a8c5
SHA5122317251108b34c372a2b84242534e5e519a7a129de9191bf9e2709cdc2c1dc1e9da63e94905d01b1efdc77841bb19c00fed283f9cc21e8218d1f4980234ff4ab