Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/09/2024, 12:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20240729-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
sample.exe
-
Size
183KB
-
MD5
07fadb006486953439ce0092651fd7a6
-
SHA1
e42431d37561cc695de03b85e8e99c9e31321742
-
SHA256
d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0
-
SHA512
5b09a07371bb5350b22c78aa3e7e673ba61ce72a964e072749a4633e2c15f416c05953cc6e6f6c586df010aa7f2c9c0ab87a014e4f732e5fdb2d58778a1fb437
-
SSDEEP
3072:Ealy19emgKe0QuYS3UmWuDTEltI3S/7IarDrjCgrQp0M7W:EaqxxDwx/7IS40MS
Malware Config
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (318) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation sample.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\VWZYT-DECRYPT.html sample.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\ee5e8404ee5e83e6114.lock sample.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: sample.exe File opened (read-only) \??\E: sample.exe File opened (read-only) \??\H: sample.exe File opened (read-only) \??\M: sample.exe File opened (read-only) \??\U: sample.exe File opened (read-only) \??\V: sample.exe File opened (read-only) \??\W: sample.exe File opened (read-only) \??\G: sample.exe File opened (read-only) \??\N: sample.exe File opened (read-only) \??\O: sample.exe File opened (read-only) \??\Q: sample.exe File opened (read-only) \??\T: sample.exe File opened (read-only) \??\X: sample.exe File opened (read-only) \??\Y: sample.exe File opened (read-only) \??\Z: sample.exe File opened (read-only) \??\A: sample.exe File opened (read-only) \??\I: sample.exe File opened (read-only) \??\J: sample.exe File opened (read-only) \??\K: sample.exe File opened (read-only) \??\L: sample.exe File opened (read-only) \??\P: sample.exe File opened (read-only) \??\R: sample.exe File opened (read-only) \??\S: sample.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" sample.exe -
Drops file in Program Files directory 25 IoCs
description ioc Process File opened for modification C:\Program Files\ConnectUndo.potx sample.exe File opened for modification C:\Program Files\GroupSplit.midi sample.exe File opened for modification C:\Program Files\InvokeInstall.aifc sample.exe File opened for modification C:\Program Files\OpenLock.eps sample.exe File opened for modification C:\Program Files\ReceiveSelect.mpe sample.exe File opened for modification C:\Program Files\RequestBackup.mht sample.exe File created C:\Program Files\VWZYT-DECRYPT.html sample.exe File opened for modification C:\Program Files\CompleteSuspend.MTS sample.exe File opened for modification C:\Program Files\SendComplete.dotm sample.exe File opened for modification C:\Program Files\InstallDisable.vstx sample.exe File opened for modification C:\Program Files\LimitStart.doc sample.exe File opened for modification C:\Program Files\SearchExit.mp3 sample.exe File opened for modification C:\Program Files\UnpublishRevoke.DVR-MS sample.exe File created C:\Program Files (x86)\ee5e8404ee5e83e6114.lock sample.exe File opened for modification C:\Program Files\ExpandRevoke.wmv sample.exe File opened for modification C:\Program Files\InitializeSplit.tiff sample.exe File opened for modification C:\Program Files\StepRedo.xps sample.exe File created C:\Program Files\ee5e8404ee5e83e6114.lock sample.exe File opened for modification C:\Program Files\SelectBlock.vstx sample.exe File opened for modification C:\Program Files\StartSend.search-ms sample.exe File opened for modification C:\Program Files\SyncExport.rar sample.exe File opened for modification C:\Program Files\UnprotectJoin.clr sample.exe File created C:\Program Files (x86)\VWZYT-DECRYPT.html sample.exe File opened for modification C:\Program Files\SearchUnprotect.gif sample.exe File opened for modification C:\Program Files\SplitUninstall.m1v sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sample.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString sample.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier sample.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 sample.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4192 sample.exe 4192 sample.exe 4192 sample.exe 4192 sample.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2972 wmic.exe Token: SeSecurityPrivilege 2972 wmic.exe Token: SeTakeOwnershipPrivilege 2972 wmic.exe Token: SeLoadDriverPrivilege 2972 wmic.exe Token: SeSystemProfilePrivilege 2972 wmic.exe Token: SeSystemtimePrivilege 2972 wmic.exe Token: SeProfSingleProcessPrivilege 2972 wmic.exe Token: SeIncBasePriorityPrivilege 2972 wmic.exe Token: SeCreatePagefilePrivilege 2972 wmic.exe Token: SeBackupPrivilege 2972 wmic.exe Token: SeRestorePrivilege 2972 wmic.exe Token: SeShutdownPrivilege 2972 wmic.exe Token: SeDebugPrivilege 2972 wmic.exe Token: SeSystemEnvironmentPrivilege 2972 wmic.exe Token: SeRemoteShutdownPrivilege 2972 wmic.exe Token: SeUndockPrivilege 2972 wmic.exe Token: SeManageVolumePrivilege 2972 wmic.exe Token: 33 2972 wmic.exe Token: 34 2972 wmic.exe Token: 35 2972 wmic.exe Token: 36 2972 wmic.exe Token: SeIncreaseQuotaPrivilege 2972 wmic.exe Token: SeSecurityPrivilege 2972 wmic.exe Token: SeTakeOwnershipPrivilege 2972 wmic.exe Token: SeLoadDriverPrivilege 2972 wmic.exe Token: SeSystemProfilePrivilege 2972 wmic.exe Token: SeSystemtimePrivilege 2972 wmic.exe Token: SeProfSingleProcessPrivilege 2972 wmic.exe Token: SeIncBasePriorityPrivilege 2972 wmic.exe Token: SeCreatePagefilePrivilege 2972 wmic.exe Token: SeBackupPrivilege 2972 wmic.exe Token: SeRestorePrivilege 2972 wmic.exe Token: SeShutdownPrivilege 2972 wmic.exe Token: SeDebugPrivilege 2972 wmic.exe Token: SeSystemEnvironmentPrivilege 2972 wmic.exe Token: SeRemoteShutdownPrivilege 2972 wmic.exe Token: SeUndockPrivilege 2972 wmic.exe Token: SeManageVolumePrivilege 2972 wmic.exe Token: 33 2972 wmic.exe Token: 34 2972 wmic.exe Token: 35 2972 wmic.exe Token: 36 2972 wmic.exe Token: SeBackupPrivilege 2376 vssvc.exe Token: SeRestorePrivilege 2376 vssvc.exe Token: SeAuditPrivilege 2376 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4192 wrote to memory of 2972 4192 sample.exe 83 PID 4192 wrote to memory of 2972 4192 sample.exe 83 PID 4192 wrote to memory of 2972 4192 sample.exe 83 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2376
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5bf07914221e2b090ccd0adc6428e94b9
SHA1156cc124836d4b175abb4bfbaa945298fde7ab48
SHA2565259d525b1c129e5fc3e0ab312b4373d863669da88c222218a32823f6085350a
SHA5127b62bb929e02b569553ba8d3db5d6152e42af377e98cb2018e9a91f231bc3473418955d327e202f7e4b4e48534ade0bcd6de9ba4725cdc3b63a9b495bf8f3c79