Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-07-2024 10:52
Static task
static1
Behavioral task
behavioral1
Sample
2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe
Resource
win10v2004-20240709-en
General
-
Target
2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe
-
Size
137KB
-
MD5
82ee11ed81b268ddb650dca21b13ba99
-
SHA1
3c06983cd31d9c469de4087854dbccb3818e835e
-
SHA256
174124e4c690c487ffe0a9b8a607f16a609a1d003cbe8945e4be04158bcd2e67
-
SHA512
d0574a7ef1050a7750b76b0075a3ca8f6064ead954059b0fcc7dc1d4913a50b04eaabfbb53099c09730d06afb29f3a1700b3fa039599ddb87349df65c182ee24
-
SSDEEP
1536:ymFff+GbWDmMAvQmHWlOMDSzWiO5MOYTB6m+GFgp10sWjcdCiIjUA0ZIFy2:ymjbWaMAvx2WSisuB767CiIjDF
Malware Config
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2792 cmd.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exedescription ioc process File opened (read-only) \??\K: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\O: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\P: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\Q: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\S: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\T: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\W: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\A: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\B: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\H: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\M: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\N: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\U: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\Z: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\E: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\L: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\V: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\X: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\Y: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\G: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\I: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\J: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\R: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
timeout.exe2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exewmic.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2824 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exepid process 1716 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe 1716 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2136 wmic.exe Token: SeSecurityPrivilege 2136 wmic.exe Token: SeTakeOwnershipPrivilege 2136 wmic.exe Token: SeLoadDriverPrivilege 2136 wmic.exe Token: SeSystemProfilePrivilege 2136 wmic.exe Token: SeSystemtimePrivilege 2136 wmic.exe Token: SeProfSingleProcessPrivilege 2136 wmic.exe Token: SeIncBasePriorityPrivilege 2136 wmic.exe Token: SeCreatePagefilePrivilege 2136 wmic.exe Token: SeBackupPrivilege 2136 wmic.exe Token: SeRestorePrivilege 2136 wmic.exe Token: SeShutdownPrivilege 2136 wmic.exe Token: SeDebugPrivilege 2136 wmic.exe Token: SeSystemEnvironmentPrivilege 2136 wmic.exe Token: SeRemoteShutdownPrivilege 2136 wmic.exe Token: SeUndockPrivilege 2136 wmic.exe Token: SeManageVolumePrivilege 2136 wmic.exe Token: 33 2136 wmic.exe Token: 34 2136 wmic.exe Token: 35 2136 wmic.exe Token: SeIncreaseQuotaPrivilege 2136 wmic.exe Token: SeSecurityPrivilege 2136 wmic.exe Token: SeTakeOwnershipPrivilege 2136 wmic.exe Token: SeLoadDriverPrivilege 2136 wmic.exe Token: SeSystemProfilePrivilege 2136 wmic.exe Token: SeSystemtimePrivilege 2136 wmic.exe Token: SeProfSingleProcessPrivilege 2136 wmic.exe Token: SeIncBasePriorityPrivilege 2136 wmic.exe Token: SeCreatePagefilePrivilege 2136 wmic.exe Token: SeBackupPrivilege 2136 wmic.exe Token: SeRestorePrivilege 2136 wmic.exe Token: SeShutdownPrivilege 2136 wmic.exe Token: SeDebugPrivilege 2136 wmic.exe Token: SeSystemEnvironmentPrivilege 2136 wmic.exe Token: SeRemoteShutdownPrivilege 2136 wmic.exe Token: SeUndockPrivilege 2136 wmic.exe Token: SeManageVolumePrivilege 2136 wmic.exe Token: 33 2136 wmic.exe Token: 34 2136 wmic.exe Token: 35 2136 wmic.exe Token: SeBackupPrivilege 1244 vssvc.exe Token: SeRestorePrivilege 1244 vssvc.exe Token: SeAuditPrivilege 1244 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.execmd.exedescription pid process target process PID 1716 wrote to memory of 2136 1716 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe wmic.exe PID 1716 wrote to memory of 2136 1716 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe wmic.exe PID 1716 wrote to memory of 2136 1716 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe wmic.exe PID 1716 wrote to memory of 2136 1716 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe wmic.exe PID 1716 wrote to memory of 2792 1716 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe cmd.exe PID 1716 wrote to memory of 2792 1716 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe cmd.exe PID 1716 wrote to memory of 2792 1716 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe cmd.exe PID 1716 wrote to memory of 2792 1716 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe cmd.exe PID 2792 wrote to memory of 2824 2792 cmd.exe timeout.exe PID 2792 wrote to memory of 2824 2792 cmd.exe timeout.exe PID 2792 wrote to memory of 2824 2792 cmd.exe timeout.exe PID 2792 wrote to memory of 2824 2792 cmd.exe timeout.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2136 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout -c 5 & del "C:\Users\Admin\AppData\Local\Temp\2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe" /f /q2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\timeout.exetimeout -c 53⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2824
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1244