Malware Analysis Report

2025-01-03 09:01

Sample ID 240928-tzgkfaxgrh
Target 2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab
SHA256 79300246f195358830de5994005b0398924482e774a3244748c3b71d98b8ebaf
Tags
gandcrab backdoor credential_access defense_evasion discovery execution impact ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

79300246f195358830de5994005b0398924482e774a3244748c3b71d98b8ebaf

Threat Level: Known bad

The file 2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab was found to be: Known bad.

Malicious Activity Summary

gandcrab backdoor credential_access defense_evasion discovery execution impact ransomware spyware stealer

Gandcrab

Renames multiple (260) files with added filename extension

Renames multiple (311) files with added filename extension

Deletes shadow copies

Drops startup file

Checks computer location settings

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-28 16:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-28 16:29

Reported

2024-09-28 16:32

Platform

win7-20240903-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe"

Signatures

Gandcrab

ransomware backdoor gandcrab

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (260) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\3809f1703809f692114.lock C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\IRGHI-MANUAL.txt C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\MountBlock.ram C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\PublishMount.ex_ C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\UninstallMount.hta C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File created C:\Program Files\3809f1703809f692114.lock C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\MountCompare.txt C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File created C:\Program Files (x86)\3809f1703809f692114.lock C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\InstallRemove.aiff C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\3809f1703809f692114.lock C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File created C:\Program Files (x86)\IRGHI-MANUAL.txt C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\DenyRegister.wmf C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\IRGHI-MANUAL.txt C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\AssertUndo.pps C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\MountSearch.php C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\OpenUse.rle C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\ResetSend.rle C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\NewExit.wpl C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\ReceiveSend.pcx C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\SubmitGet.xlsx C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\3809f1703809f692114.lock C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File created C:\Program Files\IRGHI-MANUAL.txt C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\TraceSkip.edrwx C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\IRGHI-MANUAL.txt C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\RepairStart.mpg C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\StopConnect.jpeg C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\UnpublishApprove.ttf C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\IRGHI-MANUAL.txt C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\3809f1703809f692114.lock C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\FindSkip.zip C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vssadmin.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe

"C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

C:\Users\IRGHI-MANUAL.txt

MD5 1ac2c1dd30c124db962eb79c4e249a50
SHA1 79e906bca6dde33694a9c6447ae1667ed4503d42
SHA256 247ab5a2577134b1d3374653a543524078169f2323dd0c7c4af4765aba7145f8
SHA512 658d542d2f05f1c27bc5974afd08aa77c52e8e8004fc91f04dcffae6ee5ce342a458c575f2cf98587f77d31d55f6fb776247c923146b7e85f061de2574fd6be5

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-28 16:29

Reported

2024-09-28 16:32

Platform

win10v2004-20240910-en

Max time kernel

141s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe"

Signatures

Gandcrab

ransomware backdoor gandcrab

Renames multiple (311) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\LKVPGRA-MANUAL.txt C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\9ff03a009ff03de2114.lock C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DenyGrant.dib C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\DenyUnblock.tiff C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\PingRename.vst C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\RestartUnregister.dwfx C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\CompleteDebug.emf C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\DisconnectRead.txt C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File created C:\Program Files (x86)\LKVPGRA-MANUAL.txt C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\InitializeJoin.mpe C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\ResizeImport.inf C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\SendCompare.dwfx C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\UseDeny.asx C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\WatchNew.mpeg C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File created C:\Program Files\9ff03a009ff03de2114.lock C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\EnableNew.temp C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\PopJoin.aiff C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\UnpublishInstall.avi C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\UnregisterWait.3gp C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File created C:\Program Files\LKVPGRA-MANUAL.txt C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\ApproveCompare.3g2 C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\TraceStop.docx C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File created C:\Program Files (x86)\9ff03a009ff03de2114.lock C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\PingPublish.wmf C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\StartMove.DVR C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\ConnectSuspend.svg C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\MoveConvertTo.zip C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\PopStep.emf C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\ProtectTest.ogg C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
File opened for modification C:\Program Files\AssertEdit.mp2v C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe

"C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 www.kakaocorp.link udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

C:\$Recycle.Bin\S-1-5-21-2629364133-3182087385-364449604-1000\LKVPGRA-MANUAL.txt

MD5 ca9f0688fb8d115cd24fef94a463fd9b
SHA1 a9c15e81ab32fb5737c115b0a3163db618a73ccd
SHA256 56c641f65ae8fc44637ddf1530eaec6a97dc07159b2b099f4932a23feec6118c
SHA512 64dc536c1147997655eb35cc0ec9d81041f3903c5a96d2e61abf206803b73440c33b36c16ec87d54fb93cbb0df39709b0b94c16621469fc59d112cf3189a379e