gandcrab | 3d967cb5197fb3fdfd57c1b6832c2445cee711021a723ae497465b5945a1a2de

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
Size

137KB
MD5

ac439c5a39a815402d807c989ecc7a6d
SHA1

859fa92674ee5551986b5ca86f48bd0454514354
SHA256

3d967cb5197fb3fdfd57c1b6832c2445cee711021a723ae497465b5945a1a2de
SHA512

31ba3e5a1ce7a00928beb531b8c56d0039d87d1dca3444a1941b0900d5a42be95a17a3bf3092b466769d38db5957d76e647bb3fc9f100941ad98eb0924a95957
SSDEEP

1536:ymFff+GbWDmMAvQmHWlOMDSzWiO5MOYTB6m+GCgp10sWjcdCiIjUA0ZTwy2:ymjbWaMAvx2WSisuBY67CiIjD

Score

10^/10

gandcrab backdoor defense_evasion discovery execution impact ransomware

Malware Config

Signatures

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
File opened (read-only)	\??\X:	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
File opened (read-only)	\??\Z:	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
File opened (read-only)	\??\G:	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
File opened (read-only)	\??\H:	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
File opened (read-only)	\??\L:	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
File opened (read-only)	\??\O:	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
File opened (read-only)	\??\R:	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
File opened (read-only)	\??\J:	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
File opened (read-only)	\??\N:	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
File opened (read-only)	\??\W:	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
File opened (read-only)	\??\Y:	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
File opened (read-only)	\??\S:	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
File opened (read-only)	\??\A:	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
File opened (read-only)	\??\K:	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
File opened (read-only)	\??\M:	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
File opened (read-only)	\??\P:	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
File opened (read-only)	\??\Q:	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
File opened (read-only)	\??\B:	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
File opened (read-only)	\??\E:	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
File opened (read-only)	\??\I:	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
File opened (read-only)	\??\T:	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
File opened (read-only)	\??\V:	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp"	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 0400000001000000100000008f5d770627c4983c5b9378e7d77d9bcc0300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a19456800000001000000080000000000876ace99d1011d0000000100000010000000d06bc27453aa4f6d586437e5d3b37798140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c090000000100000020000000301e06082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000005f0b62eab5e353ea6521651658fbb65359f443280a4afbd104d77d10f9f04c070b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d00310000000f0000000100000010000000824bae7c7cb3a15ce851a396760574a320000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 190000000100000010000000e559465e28a60e5499846f194087b0e50f0000000100000010000000824bae7c7cb3a15ce851a396760574a30b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d00310000006200000001000000200000005f0b62eab5e353ea6521651658fbb65359f443280a4afbd104d77d10f9f04c07090000000100000020000000301e06082b0601050507030306082b0601050507030406082b06010505070301140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c1d0000000100000010000000d06bc27453aa4f6d586437e5d3b377986800000001000000080000000000876ace99d1010300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a19450400000001000000100000008f5d770627c4983c5b9378e7d77d9bcc20000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 5c0000000100000004000000000400000400000001000000100000008f5d770627c4983c5b9378e7d77d9bcc0300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a19456800000001000000080000000000876ace99d1011d0000000100000010000000d06bc27453aa4f6d586437e5d3b37798140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c090000000100000020000000301e06082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000005f0b62eab5e353ea6521651658fbb65359f443280a4afbd104d77d10f9f04c070b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d00310000000f0000000100000010000000824bae7c7cb3a15ce851a396760574a3190000000100000010000000e559465e28a60e5499846f194087b0e520000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 5c0000000100000004000000000800000b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900200013202000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c06200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f51400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b271d000000010000001000000054e2cd85ba79cda018fed9e6a863aa46030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 0f0000000100000010000000824bae7c7cb3a15ce851a396760574a30b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d00310000006200000001000000200000005f0b62eab5e353ea6521651658fbb65359f443280a4afbd104d77d10f9f04c07090000000100000020000000301e06082b0601050507030306082b0601050507030406082b06010505070301140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c1d0000000100000010000000d06bc27453aa4f6d586437e5d3b377986800000001000000080000000000876ace99d1010300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a194520000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3700	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
3700	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
3700	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
3700	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3304	wmic.exe
Token: SeSecurityPrivilege	3304	wmic.exe
Token: SeTakeOwnershipPrivilege	3304	wmic.exe
Token: SeLoadDriverPrivilege	3304	wmic.exe
Token: SeSystemProfilePrivilege	3304	wmic.exe
Token: SeSystemtimePrivilege	3304	wmic.exe
Token: SeProfSingleProcessPrivilege	3304	wmic.exe
Token: SeIncBasePriorityPrivilege	3304	wmic.exe
Token: SeCreatePagefilePrivilege	3304	wmic.exe
Token: SeBackupPrivilege	3304	wmic.exe
Token: SeRestorePrivilege	3304	wmic.exe
Token: SeShutdownPrivilege	3304	wmic.exe
Token: SeDebugPrivilege	3304	wmic.exe
Token: SeSystemEnvironmentPrivilege	3304	wmic.exe
Token: SeRemoteShutdownPrivilege	3304	wmic.exe
Token: SeUndockPrivilege	3304	wmic.exe
Token: SeManageVolumePrivilege	3304	wmic.exe
Token: 33	3304	wmic.exe
Token: 34	3304	wmic.exe
Token: 35	3304	wmic.exe
Token: 36	3304	wmic.exe
Token: SeIncreaseQuotaPrivilege	3304	wmic.exe
Token: SeSecurityPrivilege	3304	wmic.exe
Token: SeTakeOwnershipPrivilege	3304	wmic.exe
Token: SeLoadDriverPrivilege	3304	wmic.exe
Token: SeSystemProfilePrivilege	3304	wmic.exe
Token: SeSystemtimePrivilege	3304	wmic.exe
Token: SeProfSingleProcessPrivilege	3304	wmic.exe
Token: SeIncBasePriorityPrivilege	3304	wmic.exe
Token: SeCreatePagefilePrivilege	3304	wmic.exe
Token: SeBackupPrivilege	3304	wmic.exe
Token: SeRestorePrivilege	3304	wmic.exe
Token: SeShutdownPrivilege	3304	wmic.exe
Token: SeDebugPrivilege	3304	wmic.exe
Token: SeSystemEnvironmentPrivilege	3304	wmic.exe
Token: SeRemoteShutdownPrivilege	3304	wmic.exe
Token: SeUndockPrivilege	3304	wmic.exe
Token: SeManageVolumePrivilege	3304	wmic.exe
Token: 33	3304	wmic.exe
Token: 34	3304	wmic.exe
Token: 35	3304	wmic.exe
Token: 36	3304	wmic.exe
Token: SeBackupPrivilege	1140	vssvc.exe
Token: SeRestorePrivilege	1140	vssvc.exe
Token: SeAuditPrivilege	1140	vssvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 3304	3700	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe	87
PID 3700 wrote to memory of 3304	3700	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe	87
PID 3700 wrote to memory of 3304	3700	2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-25_ac439c5a39a815402d807c989ecc7a6d_gandcrab_karagany_metamorfo.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Windows\SysWOW64\wbem\wmic.exe
  "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3304