Analysis Overview
SHA256
b2d7ac8c41da4ee464bdcb9c7418ca02cd84373f9a35e4bab1bdd1e9b6c3c9a1
Threat Level: Known bad
The file bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.7z was found to be: Known bad.
Malicious Activity Summary
Gandcrab
Deletes shadow copies
Renames multiple (275) files with added filename extension
Drops startup file
Credentials from Password Stores: Windows Credential Manager
Reads user/profile data of web browsers
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Interacts with shadow copies
Uses Volume Shadow Copy service COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-24 17:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-24 17:10
Reported
2024-07-24 17:11
Platform
win10-20240611-en
Max time kernel
44s
Max time network
31s
Command Line
Signatures
Gandcrab
Deletes shadow copies
Renames multiple (275) files with added filename extension
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\WMAJAIYOPI-MANUAL.txt | C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\9ba1e93e9ba1eed2410.lock | C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" | C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4216 wrote to memory of 1556 | N/A | C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4216 wrote to memory of 1556 | N/A | C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4216 wrote to memory of 1556 | N/A | C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1556 wrote to memory of 468 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\vssadmin.exe |
| PID 1556 wrote to memory of 468 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\vssadmin.exe |
| PID 1556 wrote to memory of 468 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\vssadmin.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe
"C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WMAJAIYOPI-MANUAL.txt
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet
C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| GB | 87.248.205.0:80 | tcp | |
| US | 8.8.8.8:53 | www.kakaocorp.link | udp |
Files
memory/4216-1-0x00000000053D0000-0x00000000054D0000-memory.dmp
memory/4216-2-0x0000000000400000-0x000000000041B000-memory.dmp
F:\$RECYCLE.BIN\WMAJAIYOPI-MANUAL.txt
| MD5 | e0e9378f738a1c01caa214098b449ab2 |
| SHA1 | ed13c2aa3223c2c7c4c5f45ef5a65eff16329f43 |
| SHA256 | 96324fc293382fcc0b35aac3b3b4ab990061fc1162240f10f0ed35e8cfa7a8c5 |
| SHA512 | 2317251108b34c372a2b84242534e5e519a7a129de9191bf9e2709cdc2c1dc1e9da63e94905d01b1efdc77841bb19c00fed283f9cc21e8218d1f4980234ff4ab |
memory/4216-456-0x0000000000400000-0x00000000052B3000-memory.dmp
memory/4216-710-0x0000000000400000-0x00000000052B3000-memory.dmp
memory/4216-712-0x00000000053D0000-0x00000000054D0000-memory.dmp
memory/4216-714-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4216-713-0x0000000000400000-0x00000000052B3000-memory.dmp