Malware Analysis Report

2024-10-18 21:56

Sample ID 240724-vppnqszhrf
Target bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.7z
SHA256 b2d7ac8c41da4ee464bdcb9c7418ca02cd84373f9a35e4bab1bdd1e9b6c3c9a1
Tags
gandcrab backdoor credential_access defense_evasion discovery execution impact ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b2d7ac8c41da4ee464bdcb9c7418ca02cd84373f9a35e4bab1bdd1e9b6c3c9a1

Threat Level: Known bad

The file bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.7z was found to be: Known bad.

Malicious Activity Summary

gandcrab backdoor credential_access defense_evasion discovery execution impact ransomware spyware stealer

Gandcrab

Deletes shadow copies

Renames multiple (275) files with added filename extension

Drops startup file

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-24 17:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 17:10

Reported

2024-07-24 17:11

Platform

win10-20240611-en

Max time kernel

44s

Max time network

31s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe"

Signatures

Gandcrab

ransomware backdoor gandcrab

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (275) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\WMAJAIYOPI-MANUAL.txt C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\9ba1e93e9ba1eed2410.lock C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\EnableUse.mp2 C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\EnterRead.emf C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\UpdateMerge.M2V C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\UnprotectSubmit.gif C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File created C:\Program Files\9ba1e93e9ba1eed2410.lock C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\ClearStep.mht C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\CloseCheckpoint.pptm C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\EnableWrite.ogg C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\StepResize.otf C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\UnlockJoin.xps C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File created C:\Program Files (x86)\9ba1e93e9ba1eed2410.lock C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\EditSwitch.emf C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\EditSync.dwg C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\LimitRepair.svg C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\OptimizeImport.gif C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\SkipUse.jpe C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File created C:\Program Files (x86)\WMAJAIYOPI-MANUAL.txt C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\ConnectResume.txt C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\ExportSplit.wmf C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\RequestConvertTo.rmi C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\UninstallPing.dib C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File created C:\Program Files\WMAJAIYOPI-MANUAL.txt C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\ClearCheckpoint.docx C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\OptimizeGrant.shtml C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\OptimizeRevoke.vst C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\SendSet.xps C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\SplitMount.ttc C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\InstallBlock.pptx C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\LimitLock.odp C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\LockSet.ps1xml C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\OpenComplete.vbs C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\StartExpand.otf C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
File opened for modification C:\Program Files\ExportFind.mp4 C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vssadmin.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe

"C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WMAJAIYOPI-MANUAL.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
GB 87.248.205.0:80 tcp
US 8.8.8.8:53 www.kakaocorp.link udp

Files

memory/4216-1-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/4216-2-0x0000000000400000-0x000000000041B000-memory.dmp

F:\$RECYCLE.BIN\WMAJAIYOPI-MANUAL.txt

MD5 e0e9378f738a1c01caa214098b449ab2
SHA1 ed13c2aa3223c2c7c4c5f45ef5a65eff16329f43
SHA256 96324fc293382fcc0b35aac3b3b4ab990061fc1162240f10f0ed35e8cfa7a8c5
SHA512 2317251108b34c372a2b84242534e5e519a7a129de9191bf9e2709cdc2c1dc1e9da63e94905d01b1efdc77841bb19c00fed283f9cc21e8218d1f4980234ff4ab

memory/4216-456-0x0000000000400000-0x00000000052B3000-memory.dmp

memory/4216-710-0x0000000000400000-0x00000000052B3000-memory.dmp

memory/4216-712-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/4216-714-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4216-713-0x0000000000400000-0x00000000052B3000-memory.dmp