Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24-07-2024 17:25
Static task
static1
Behavioral task
behavioral1
Sample
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe
Resource
win10v2004-20240709-en
General
-
Target
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe
-
Size
291KB
-
MD5
e6b43b1028b6000009253344632e69c4
-
SHA1
e536b70e3ffe309f7ae59918da471d7bf4cadd1c
-
SHA256
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a
-
SHA512
07da214314673407a7d3978ee6e1d20bf1e02f135bf557e86b50489ecc146014f2534515c1b613dba96e65489d8c82caaa8ed2e647684d61e5e86bd3e8251adf
-
SSDEEP
6144:nSRCSpUtLz+/enihebWBUOP3yIhLVMmi0CtG7go+I:SUOEnNnHbmP3yIE3tGX
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-3450744190-3404161390-554719085-1000\KVNLC-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/617249f86352b664
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (320) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 2 IoCs
Processes:
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6352b1896352b665410.lock bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\KVNLC-MANUAL.txt bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exedescription ioc process File opened (read-only) \??\P: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\S: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\W: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\Y: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\E: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\G: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\N: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\O: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\B: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\K: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\T: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\Z: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\M: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\Q: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\R: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\H: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\I: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\J: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\L: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\A: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\U: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\V: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened (read-only) \??\X: bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe -
Drops file in Program Files directory 43 IoCs
Processes:
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exedescription ioc process File opened for modification C:\Program Files\PushMount.xlsm bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\SubmitImport.mpg bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\TraceSwitch.pot bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File created C:\Program Files\6352b1896352b665410.lock bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\DisablePing.vst bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\OutProtect.DVR-MS bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\PublishConvert.potm bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\ClearProtect.docx bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\ConfirmUse.reg bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\SplitGet.mid bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\KVNLC-MANUAL.txt bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6352b1896352b665410.lock bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\CompressApprove.wdp bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\GrantWrite.wps bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\HideUninstall.rle bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\SuspendEnable.ps1 bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File created C:\Program Files\KVNLC-MANUAL.txt bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\LimitReceive.xlsx bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\RevokeEnter.ps1 bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6352b1896352b665410.lock bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\RequestMount.zip bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\SelectDeny.TTS bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File created C:\Program Files (x86)\6352b1896352b665410.lock bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\KVNLC-MANUAL.txt bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\CloseCopy.pot bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\CompareHide.doc bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\EnterExpand.mid bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\ExitRequest.doc bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\KVNLC-MANUAL.txt bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6352b1896352b665410.lock bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\RegisterSearch.vssx bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\RemoveOpen.docx bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\UninstallLimit.mpeg bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File created C:\Program Files (x86)\KVNLC-MANUAL.txt bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\ExportPop.ogg bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\OutExpand.xhtml bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\RegisterHide.avi bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\RepairSend.bmp bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\ResolveBlock.nfo bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\ConvertSave.pot bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\GetSubmit.aiff bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\InvokeLock.m4a bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe File opened for modification C:\Program Files\LockSync.mp2 bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.execmd.exevssadmin.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2928 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exepid process 1960 bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe 1960 bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2812 vssvc.exe Token: SeRestorePrivilege 2812 vssvc.exe Token: SeAuditPrivilege 2812 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.execmd.exedescription pid process target process PID 1960 wrote to memory of 2688 1960 bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe cmd.exe PID 1960 wrote to memory of 2688 1960 bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe cmd.exe PID 1960 wrote to memory of 2688 1960 bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe cmd.exe PID 1960 wrote to memory of 2688 1960 bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe cmd.exe PID 2688 wrote to memory of 2928 2688 cmd.exe vssadmin.exe PID 2688 wrote to memory of 2928 2688 cmd.exe vssadmin.exe PID 2688 wrote to memory of 2928 2688 cmd.exe vssadmin.exe PID 2688 wrote to memory of 2928 2688 cmd.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe"C:\Users\Admin\AppData\Local\Temp\bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a.exe"1⤵
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2928
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2812
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5d95baec6812c2d53bf82973c94a135fd
SHA1929ebdb640771a9956ab621d79a93a681f916b60
SHA256190144c9bbfa801408c89a39696ffdc4920ef6b4bb95368cd26377fe93bd1c3a
SHA5129996291ec878638b4b5bffc4e858bffa3b573b6f285b66a7c39028bf0b35a2cc02c636b9a17c6952eddbcf919c54189bfb7be5175c49a04548d4d5bba48b1417