gandcrab | de2fb10156d4852276992216e053a0c57fccf1e79051010ebf8299a4e9e253fb

General

Target

sample.exe
Size

183KB
MD5

07fadb006486953439ce0092651fd7a6
SHA1

e42431d37561cc695de03b85e8e99c9e31321742
SHA256

d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0
SHA512

5b09a07371bb5350b22c78aa3e7e673ba61ce72a964e072749a4633e2c15f416c05953cc6e6f6c586df010aa7f2c9c0ab87a014e4f732e5fdb2d58778a1fb437
SSDEEP

3072:Ealy19emgKe0QuYS3UmWuDTEltI3S/7IarDrjCgrQp0M7W:EaqxxDwx/7IS40MS

Score

10^/10

gandcrab backdoor credential_access defense_evasion discovery execution impact ransomware spyware stealer

Malware Config

Signatures

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (274) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 2 IoCs

Processes:

sample.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\SHRVD-DECRYPT.html	sample.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\c123b1a9c123b64b114.lock	sample.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

sample.exe

description	ioc	process
File opened (read-only)	\??\P:	sample.exe
File opened (read-only)	\??\S:	sample.exe
File opened (read-only)	\??\A:	sample.exe
File opened (read-only)	\??\E:	sample.exe
File opened (read-only)	\??\H:	sample.exe
File opened (read-only)	\??\L:	sample.exe
File opened (read-only)	\??\B:	sample.exe
File opened (read-only)	\??\G:	sample.exe
File opened (read-only)	\??\O:	sample.exe
File opened (read-only)	\??\V:	sample.exe
File opened (read-only)	\??\R:	sample.exe
File opened (read-only)	\??\T:	sample.exe
File opened (read-only)	\??\I:	sample.exe
File opened (read-only)	\??\K:	sample.exe
File opened (read-only)	\??\M:	sample.exe
File opened (read-only)	\??\N:	sample.exe
File opened (read-only)	\??\X:	sample.exe
File opened (read-only)	\??\Y:	sample.exe
File opened (read-only)	\??\Z:	sample.exe
File opened (read-only)	\??\J:	sample.exe
File opened (read-only)	\??\Q:	sample.exe
File opened (read-only)	\??\U:	sample.exe
File opened (read-only)	\??\W:	sample.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

sample.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp"	sample.exe

Drops file in Program Files directory 31 IoCs

Processes:

sample.exe

description	ioc	process
File opened for modification	C:\Program Files\ConvertFromDismount.easmx	sample.exe
File opened for modification	C:\Program Files\MeasureRegister.mht	sample.exe
File opened for modification	C:\Program Files\OutLock.wma	sample.exe
File opened for modification	C:\Program Files\RemoveExport.7z	sample.exe
File opened for modification	C:\Program Files\SendConvert.avi	sample.exe
File opened for modification	C:\Program Files\LimitRegister.wm	sample.exe
File opened for modification	C:\Program Files\SelectRemove.odt	sample.exe
File opened for modification	C:\Program Files\SetCopy.M2T	sample.exe
File opened for modification	C:\Program Files\StopGet.pptx	sample.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\SHRVD-DECRYPT.html	sample.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\SHRVD-DECRYPT.html	sample.exe
File opened for modification	C:\Program Files\FormatMeasure.potx	sample.exe
File opened for modification	C:\Program Files\MergeSplit.rar	sample.exe
File opened for modification	C:\Program Files\UndoMount.snd	sample.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\c123b1a9c123b64b114.lock	sample.exe
File created	C:\Program Files (x86)\c123b1a9c123b64b114.lock	sample.exe
File created	C:\Program Files\SHRVD-DECRYPT.html	sample.exe
File created	C:\Program Files\c123b1a9c123b64b114.lock	sample.exe
File opened for modification	C:\Program Files\BackupAssert.mov	sample.exe
File opened for modification	C:\Program Files\UseInstall.avi	sample.exe
File opened for modification	C:\Program Files\ImportHide.m4v	sample.exe
File opened for modification	C:\Program Files\SetSync.zip	sample.exe
File opened for modification	C:\Program Files\UpdateAdd.vbe	sample.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\c123b1a9c123b64b114.lock	sample.exe
File opened for modification	C:\Program Files\JoinConnect.ttc	sample.exe
File opened for modification	C:\Program Files\TestUse.pub	sample.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\SHRVD-DECRYPT.html	sample.exe
File opened for modification	C:\Program Files\ClearDebug.dotx	sample.exe
File opened for modification	C:\Program Files\UnregisterDisable.ttf	sample.exe
File created	C:\Program Files (x86)\SHRVD-DECRYPT.html	sample.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\c123b1a9c123b64b114.lock	sample.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

sample.exewmic.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sample.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sample.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	sample.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sample.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	sample.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

sample.exe

pid process

2652 sample.exe
2652 sample.exe

pid	process
2652	sample.exe
2652	sample.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

wmic.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3056	wmic.exe
Token: SeSecurityPrivilege	3056	wmic.exe
Token: SeTakeOwnershipPrivilege	3056	wmic.exe
Token: SeLoadDriverPrivilege	3056	wmic.exe
Token: SeSystemProfilePrivilege	3056	wmic.exe
Token: SeSystemtimePrivilege	3056	wmic.exe
Token: SeProfSingleProcessPrivilege	3056	wmic.exe
Token: SeIncBasePriorityPrivilege	3056	wmic.exe
Token: SeCreatePagefilePrivilege	3056	wmic.exe
Token: SeBackupPrivilege	3056	wmic.exe
Token: SeRestorePrivilege	3056	wmic.exe
Token: SeShutdownPrivilege	3056	wmic.exe
Token: SeDebugPrivilege	3056	wmic.exe
Token: SeSystemEnvironmentPrivilege	3056	wmic.exe
Token: SeRemoteShutdownPrivilege	3056	wmic.exe
Token: SeUndockPrivilege	3056	wmic.exe
Token: SeManageVolumePrivilege	3056	wmic.exe
Token: 33	3056	wmic.exe
Token: 34	3056	wmic.exe
Token: 35	3056	wmic.exe
Token: SeIncreaseQuotaPrivilege	3056	wmic.exe
Token: SeSecurityPrivilege	3056	wmic.exe
Token: SeTakeOwnershipPrivilege	3056	wmic.exe
Token: SeLoadDriverPrivilege	3056	wmic.exe
Token: SeSystemProfilePrivilege	3056	wmic.exe
Token: SeSystemtimePrivilege	3056	wmic.exe
Token: SeProfSingleProcessPrivilege	3056	wmic.exe
Token: SeIncBasePriorityPrivilege	3056	wmic.exe
Token: SeCreatePagefilePrivilege	3056	wmic.exe
Token: SeBackupPrivilege	3056	wmic.exe
Token: SeRestorePrivilege	3056	wmic.exe
Token: SeShutdownPrivilege	3056	wmic.exe
Token: SeDebugPrivilege	3056	wmic.exe
Token: SeSystemEnvironmentPrivilege	3056	wmic.exe
Token: SeRemoteShutdownPrivilege	3056	wmic.exe
Token: SeUndockPrivilege	3056	wmic.exe
Token: SeManageVolumePrivilege	3056	wmic.exe
Token: 33	3056	wmic.exe
Token: 34	3056	wmic.exe
Token: 35	3056	wmic.exe
Token: SeBackupPrivilege	1404	vssvc.exe
Token: SeRestorePrivilege	1404	vssvc.exe
Token: SeAuditPrivilege	1404	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

sample.exe

description	pid	process	target process
PID 2652 wrote to memory of 3056	2652	sample.exe	wmic.exe
PID 2652 wrote to memory of 3056	2652	sample.exe	wmic.exe
PID 2652 wrote to memory of 3056	2652	sample.exe	wmic.exe
PID 2652 wrote to memory of 3056	2652	sample.exe	wmic.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\wbem\wmic.exe
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Credentials from Password Stores

2

T1555

Credentials from Web Browsers

1

T1555.003

Windows Credential Manager

1

T1555.004

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\SHRVD-DECRYPT.html

Filesize
64KB

MD5
dfdc916afd02ee38a78b390f8b5b5513

SHA1
b389e3aff7c03d4ddeedcb9814c688a9c803efa8

SHA256
6be9686597b19b237fb38ac362e3958f50989923f92644c3b982781b6bf3d9e2

SHA512
5ee99225e5f98d82ffbf8a5a96836ffb7f06c74993e6d0aff7b3cf73dc70af8f3be34b4dbe65f2c2ec7a9563b511d5910628bdc60a189a12cd34b23bd0869622

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads