Analysis Overview
SHA256
79300246f195358830de5994005b0398924482e774a3244748c3b71d98b8ebaf
Threat Level: Known bad
The file 2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab was found to be: Known bad.
Malicious Activity Summary
Gandcrab
Renames multiple (260) files with added filename extension
Renames multiple (311) files with added filename extension
Deletes shadow copies
Drops startup file
Checks computer location settings
Credentials from Password Stores: Windows Credential Manager
Reads user/profile data of web browsers
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Interacts with shadow copies
Uses Volume Shadow Copy service COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-28 16:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-28 16:29
Reported
2024-09-28 16:32
Platform
win7-20240903-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Gandcrab
Deletes shadow copies
Renames multiple (260) files with added filename extension
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\3809f1703809f692114.lock | C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\IRGHI-MANUAL.txt | C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" | C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet
C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
Files
C:\Users\IRGHI-MANUAL.txt
| MD5 | 1ac2c1dd30c124db962eb79c4e249a50 |
| SHA1 | 79e906bca6dde33694a9c6447ae1667ed4503d42 |
| SHA256 | 247ab5a2577134b1d3374653a543524078169f2323dd0c7c4af4765aba7145f8 |
| SHA512 | 658d542d2f05f1c27bc5974afd08aa77c52e8e8004fc91f04dcffae6ee5ce342a458c575f2cf98587f77d31d55f6fb776247c923146b7e85f061de2574fd6be5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-28 16:29
Reported
2024-09-28 16:32
Platform
win10v2004-20240910-en
Max time kernel
141s
Max time network
122s
Command Line
Signatures
Gandcrab
Renames multiple (311) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe | N/A |
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\LKVPGRA-MANUAL.txt | C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\9ff03a009ff03de2114.lock | C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" | C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1044 wrote to memory of 1036 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1044 wrote to memory of 1036 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1044 wrote to memory of 1036 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-28_bc5c8cbbe66ca3ea05604509d334e617_gandcrab.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.kakaocorp.link | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
C:\$Recycle.Bin\S-1-5-21-2629364133-3182087385-364449604-1000\LKVPGRA-MANUAL.txt
| MD5 | ca9f0688fb8d115cd24fef94a463fd9b |
| SHA1 | a9c15e81ab32fb5737c115b0a3163db618a73ccd |
| SHA256 | 56c641f65ae8fc44637ddf1530eaec6a97dc07159b2b099f4932a23feec6118c |
| SHA512 | 64dc536c1147997655eb35cc0ec9d81041f3903c5a96d2e61abf206803b73440c33b36c16ec87d54fb93cbb0df39709b0b94c16621469fc59d112cf3189a379e |