Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-09-2024 16:29

General

  • Target

    2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe

  • Size

    97KB

  • MD5

    bc5c8cbbe66ca3ea05604509d334e617

  • SHA1

    084ed6abd5ded9948bf7d0a41b3c99cb35208426

  • SHA256

    79300246f195358830de5994005b0398924482e774a3244748c3b71d98b8ebaf

  • SHA512

    47fbbf0479247c0fb94f1644ebd0c170dea89d29349181a125b4afbd5eb39367951b35a9e225dc5b790a9384e359b2fc96eec0853fb0156c4b87fa2cf8ce94f0

  • SSDEEP

    1536:ufuwLvvKeqM0TRl79lvhWAwVl5OpqIyedIVjC3E8dzcrHuTcxLUllPR:umwLXnqM0Nl795twDIyeeBG+HUiUj

Malware Config

Extracted

Path

C:\Users\IRGHI-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .IRGHI The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/8ff12e803809f69d | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAPEbtseeZ/P5Pg1Y0gE1Zx/DPMMCUwqYJqZ9Gla+ZK2MaaAXQoNjoAhIIh4dZMyypKuAD7fL8wh+madmjgZ7hAG6hgJyuwlzhHi5In+Rcj8WD4pWVarGBiXpoPxg++iRF9psFQtVmclzgO2x1Agv4cGZA4zSNy/p0YS/tHGHgJskRkJp0NcFRr4JhnS1sgnTrviSsKfDhQDz8leX9FbYKLMZeQopn5rPTbOuG0avYn4GVbyIrrcHfFDw86NEW8f4FY92jxo6Ev5OTwWWIpUQKpwnYpTiTb0O1UaF/FhVLGARYsWZkC6j9lnlDrLK1JOQpk0NarJ/lko6bQEORGNw84HbLLEQkGQ0GteWFm7e1ow2Aj8A66JdqPgu3EUgg4eV/kqwm/cPokz1zOEcu2L/3iJOsiFAL2EhH9K+HEPCvJQD/hc1TllT4CUDlhALvP6jYjAHnKdSRN8x/y+d07Z8imBisNFksArOMUW8uRRxho+zbjPxcTZmNKOBuj0JwRlnQejlqXHH3AaUXyduwv5uJGmc6IjPWwmk85l2wdT/eJjPZktxCZrmluJ4dHNCizbuTJBPyNNk5Sj4eZutqzquv6XJ0koBKk/wybzkKSU0+dU4SMce+9lhzs3tZ5jq5EyqhMneUOs4j5PMCyo14BI/RF2jRe6zWLcLWQRq4Wy4cYqnXtX+Ji/sKPNlEvs9j4oAScfGd0yu0491LCBgf23wE4X3cEfD7lnG4cOiYAtWeINpUOrasA6BSjzx12OzB69HsGPnj2agsgsxBxkdF2th1U1plOrlSUZcyT7EfdKxUupaRgLCxYIKl46SjBb/oxATHGCgyLdA06FvKXC1/+RwluripnZB3r7RmMAsgad/b4FcIJg7nyUB4ljGfXeddf6HXNRzb1/WDRbT8FJ2uBfggcTxse2zNvQdI0+HIh+91kqDae3/MHYE3PuFagG4JoWHSk4iTT/9qKG5jDHhPmJMMFiTRlh6kKMKpvW5uK8l4fGN3SCp6ogZ1qOIqDIELCeDocvFr47U7ADeNSgLQHxujKG8d1BkDotkSrrPoSifWRAvv7HJz+0ERHI7iclcZGHpV5UepJiDrEYyP2DtVCO2aSLCoEA/9dcOfYAT0Q6wbLXbKmTspSr0lM7y5QUpydtuCh49zLkbohoEV1h2Whaf5rE19/4UZ3bB+02Q2/Bit/96E4wSGbU9yEAWx8bPKswMksxoPzKkciBhuircFFJiVP8njDgJJ9wMPKXCfsjBd4puCnbW0iE1I1N1yXM0KKKlg+b1ioUbpFJc/wWylw/+4svn1fjyRK48O6rjLogrvYybFBmmHAam4RtX89eLqY8kHhcLHOZLCPA677v7JKQhU4lnND0oKMv6+4YX5KKonBoUAtro0319w2bnAqGwQ2mLxnzyVf27J/PIvle9Qmsf2Vs+BA+I3cIaXZ+1cPf3kCKTBEi6eUB9S+Lj7KnzB2H+XpsUarAzoiSc3vV7IDdexAvcF31qYZ2ZEuHeNqJlBcFLzMJQrh53ead7i6I4olJ6XdXRac4GbUAgNi3jSsrAR6b4Occ07JJ434TgTSP2+H71jh1znJKFoeQFF34FH6MIADmlOrPQB7bBY2Igebh1HbqAWbA5iP8r+DNTHBc0vITB1zzq6UtdrKWVU7hUMh0mhGR67s+3eph+I88ZK99ROTvnfiP6rN0Qa4AVp3w2ZbRTrmgb/pMfeDzED47fo6v5RMYXNbs84KPnD5ov2tbV51Gdmt1rSKVT3+VSmVspzM19cYdMFRHEfyC8xvJuWsv064wpRLgE4OctduFZVBHfUWDZ0+NknSqkGL4d8tFIIH+lwJ5dGwqFMrpY2Y5Z998IQXD6xdMKimfWn7m/J+YSLPi9/q9kvpQ26v+RkRjDu06mx545m/aBNHo6HwN0jNd3EmDTL0o0XPQGE9KBtdHDhycIjQm8m4ysdYhRU53quFe4unFla82h5po/694MTbqOP3iPow4eBpkQajI/Ku5qHy2WTw2KyS1emVxyglsRsRdOc8hFw6NBWUO4J9r9Po72zEwhq5pURBZuGhfYeQGqGeQGCdUovhokfKv2jcYOf6BmdTqtVI90AOJ3F+nGP19yVNmiaHTGmwTGkVcm2XrtGZlOWi6XLI95RIbMk5ujQklmZs5b3MK16zmKvA6qXIewge04l0gvWVd8RTqCqQE/ECOWLIUruC+Nl/u7dyd+d3Nhk0Fn1DWzOtHg1c9R6bxQxidmLX0= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDp9NPJKZDVAveVs+DSRW/IKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2mU0R7+dxfWLoypoW25ypHEnKnMMuBl1Cmehqo5VrrnNSZu19KSVzOtTAymPz79ICyGBkpCKj0RQwVePfN00RSDiCTtOyJfNAPBnFqpsY+R+O3ObHMmd2R2keGP9DyqPNzLOzjDaO2rwVWxuZ2TzbJpvbdL0N0zPfgSzCzhqApoTPFpp2CPDOx6ihEudzoNVoM6j2VyOmqqBlvZbwDrtsypS8B1filVjmQ7q14GuxOgTOwQUyhb/ofzNwkLQejqrjTwFji9zPbKPSghI2dWKf+5gkQvDGihIFfEv5EsSM5AN7hzdQVIFj1CUHPyeWMbZ0K1gs/7uRQeyoEinT3CrvrP9dFPEuVLsogLq8b4AnecHqVubCDEZSsSLSNnIyaZEI9b5008FGYczrSlaIGDBHFzoGoqA9wiUaNxMzG ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/8ff12e803809f69d

Signatures

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (260) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 28 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe"
    1⤵
    • Drops startup file
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1364
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1140
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:2480
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2240

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\IRGHI-MANUAL.txt

    Filesize

    8KB

    MD5

    1ac2c1dd30c124db962eb79c4e249a50

    SHA1

    79e906bca6dde33694a9c6447ae1667ed4503d42

    SHA256

    247ab5a2577134b1d3374653a543524078169f2323dd0c7c4af4765aba7145f8

    SHA512

    658d542d2f05f1c27bc5974afd08aa77c52e8e8004fc91f04dcffae6ee5ce342a458c575f2cf98587f77d31d55f6fb776247c923146b7e85f061de2574fd6be5