gandcrab | da339696b9080919ca4df03e3ae91451043b92e22d6eb05a9caa88b2b60e6dd6

General

Target

RNSM00328.7z
Size

655KB
MD5

8700b06be6294762c61a224f8238d9db
SHA1

1ab220e0142fdb6ac5a561134905e19faf796566
SHA256

da339696b9080919ca4df03e3ae91451043b92e22d6eb05a9caa88b2b60e6dd6
SHA512

99c45cca0cb9eb25db56671ea821dc1b6512acafee2c08747fa1b419897531808cf63e0f69e6373c12a788a89d9f8d898c38f039fbc28d280c6d747ea4418f2f
SSDEEP

12288:Q/K65pEPkpLNV1hfwSU9ejI0KbwrFbRGZ2xkTmaTI:Qy652spJpfBU9ejA6tS2xImac

Score

10^/10

gandcrab backdoor credential_access defense_evasion discovery execution impact ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\KRAB-DECRYPT.txt

Ransom Note

---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/94e0a739109c8777 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAANrTpMTmmH3aNx2oPtsMaY6ISeEXO7CD/lCYxcic5Ecx5WluVrtcC+zdoAYl1AW+lgZUCdSkQzPnBP4hVELBfdpuq/X0tlW8ueSD5VfaadPGesw8u+klGHSG0ToDuX7vv6+98sSbeELxuUVt2ykedkOmd5MG4X3sThkTOPlwkSknjGcIFV3TwP3IOFuLtPgPvqp/dYq8bfCKeJgF0zwoPhGGTNDc2vnPW8Of+PrnBaCXU7aWp2JpRWHqGIfQFwZz+ROhc7lb6Zo99QyMvJF5XJS6gGeHaH0h2TgdpUhtQK5mYJwITr+RYgzaTuPJMD4M0kEWOggwECgbv5h0fyFwFWHjFPnA74npEJVpIF+3rKMK8E/tYx3kWmuIWYKlg+xgSAnC3/96tHlYercShiGKD/pYdyuXv+hJ09SUgbxtukWIOVFt+ffh4PLV3iPhGfCDcrZG/+AVrWj3rYgKIO6pg6JKeMFUzTJLhX16Hh5d/qrevmxjxRIvJ2o2m+SYyoi5yQmDOvsi0TY/4ymM42qCB/QQWoegtsiAqYDVBIvLQtTGxcB/lat+tMVctL+U0GlEzLwXHTKuvE9gJmuL6Y9mbEOaDIpmkeIL5ujxpSMZ7Z159N8GfpOLe6sFQgTYHLB3lGJF6ULUduaOjn9wbchXXFgvgS6RHA5k5msD6Quf43lhs/yOF4FvEqd8vo84BJG8L/r66lOftzQr0F0vhQWtADkHgkUXWeWRMvhzvuSlgi3xIqmsYdU2V0+iV1tgm8aNJAZUZTLPz16zmoJDI8qRLfqWqU7M3rpCmqRC5qp/SnS2py6s93w8QvtkBwE6xb9QnaXw68gs7DpWTRJdcXI4/EPNm5cQMESiRq8go/W/fjNhFES2att+CQ3miMxDqOyYySIIVsIhgxh5iujSdZ2d77l99OwuZlTz9ogltch/SOm9SI7BmgLe3eY6xMPWzf2YxO1SLfFxJ0vwCVRGEK1KVeAylOG1gF8vvXLmMj0CyHktDC+H4SJfyZlcKnHc5dV2djk5Hs4Hb+l0lZhI5txdHPhJS3EUOj2JzK4BdNORfbDkVFe38xEUa5FxxcsiNxv58s2GeiDtjbTDFLLKBTqoRVQueSBo3/6/MX/8Sy00M3NuR+Xa7wWxJMnTGOY9h0u2ELau8vT/tpDE0A8obVDUjd0MAgBVRlVuFBNwYd6SFgu3QB75ldZQ73xX7LXfIPw2eo6xosDTgbE+nX1aBwPGIyElsyefPzPFDoUbBEr7AqgwEoXPjoLhtimyHvf4XFLvEwS52XoLR08upWh1A3MD1R1cRP9QmHM+e42bFILdtvRBqhKUTEhbErOmg8y4MSJAHJkiYSLDU9XX7Bc/t6cwhOKIW1g6rN8BoIMl02edDDvZBg7vAH6kI6nZ6y2uC7bDmhZzk/Gi6/wKqsA/WHeSnLiQ6/e1OSAowxyZd7MnKIXlRHsYqxEy/WxERyTZrBWM+db5kPoI+GtC5SAfeBAZURZqVKduEEEwgpHIcpLuxSgB0IYPCSOwJfpKY+BkXz+JxXVqe9BDb/jAuUIiC3PbKdAXbN3kehNvi9T9T/ySQCQpAQk9/nhgIqjhU9xLXUgBtr3dDwmAT4yfAAEitfyskN+HQ+rbtpFaPjQlpSC1q1jzxwtfWRCWf6YSidNTWU7ZkSfaTTTI9gPpiPbtxN+m6lbmKxXc5It93dEPZek8paeEhPPwG9JnUFruvIPG/kJMKAIyll1n1EnfPx1j4VpHSFnOOciE6bYn9JttCn7n8wzKNKRRqUeOD+NRvRLpY1dzY7UZQeE1m8KHQfbwLss8KEa3v6ySz6jdbClTjA6cKibuon8M6/NdJk6xuqCRBRL3gt/MWD/yKglqrvwNDM+t4B2KEgvD1gDGgszLWgIlxq1uMvmp5cmzd2d0MSA/g9mLRJ8Er6ppN9nfeCdl/1jxQ0XcXNtVPMjOhNLCj+NyElgdhbX7NVBVbvGKNKJYxSKqbKufmZuPHAnOpB4jGnD5ujqpxsPGzR9HmQNtX9Z3gkZMnBXOkuNlKDoyh7Pi6yepoWLwdW8Ae/hbNOvDHzWhu3EXDuIV/CdLJJwz67tyG2KLpZS3qUOBQnQMo+8e9fSlasPKHJkmpBWTQ7IRl7J38f2H7Wy04VV3HpOuMDdxoG5bmfVlT1wKdDb7socxeVj2FSUV0GUGyUddyrhSymxf2s68KVRfTDf2u8r99hZFTOEMsMfGAf+aO13VrMXE9mYwrbZFRZI= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZdToRRs3YK7mpWq7fFTHWHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi6rF2kR3B4OL1/2E2EusvGtpYbFqKBnTtpRHREd4bpicE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg72Zi7pDhFL3vXLN+at1wYZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMbJH1Hp4Oar+NRZwP9okRV/rusrPFzMX9PXYGh9gzrewdRb9tHf+DbmDW4OIcXpReLdQq9FxhO1LL2u9gwWmeLQ4zxgtafmr5TWEPiWMEkrI= ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/94e0a739109c8777

Signatures

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Gandcrab family
gandcrab
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (326) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 2 IoCs

Processes:

Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\KRAB-DECRYPT.txt	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\109c809a109c877a54.lock	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe

Executes dropped EXE 5 IoCs

Processes:

Trojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exeTrojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exeTrojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exeTrojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exeTrojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exe

pid	process
2688	Trojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exe
2936	Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe
2560	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
1896	Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe
1536	Trojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exe

Loads dropped DLL 8 IoCs

Processes:

WerFault.exeWerFault.exe

pid process

2220 WerFault.exe
2220 WerFault.exe
2220 WerFault.exe
2220 WerFault.exe
1604 WerFault.exe
1604 WerFault.exe
1604 WerFault.exe
1604 WerFault.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
1604	WerFault.exe
1604	WerFault.exe
1604	WerFault.exe
1604	WerFault.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe

description	ioc	process
File opened (read-only)	\??\S:	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened (read-only)	\??\U:	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened (read-only)	\??\E:	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened (read-only)	\??\H:	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened (read-only)	\??\L:	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened (read-only)	\??\P:	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened (read-only)	\??\B:	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened (read-only)	\??\K:	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened (read-only)	\??\Q:	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened (read-only)	\??\W:	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened (read-only)	\??\X:	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened (read-only)	\??\G:	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened (read-only)	\??\M:	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened (read-only)	\??\O:	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened (read-only)	\??\V:	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened (read-only)	\??\R:	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened (read-only)	\??\T:	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened (read-only)	\??\Y:	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened (read-only)	\??\Z:	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened (read-only)	\??\A:	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened (read-only)	\??\I:	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened (read-only)	\??\J:	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened (read-only)	\??\N:	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe

Drops file in Program Files directory 43 IoCs

Processes:

Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe

description	ioc	process
File opened for modification	C:\Program Files\RemoveOpen.docx	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\SubmitImport.mpg	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\KRAB-DECRYPT.txt	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\ConvertSave.pot	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\EnterExpand.mid	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\GetSubmit.aiff	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\OutExpand.xhtml	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\ResolveBlock.nfo	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\109c809a109c877a54.lock	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File created	C:\Program Files\KRAB-DECRYPT.txt	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\UninstallLimit.mpeg	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\PushMount.xlsm	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\SelectDeny.TTS	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\TraceSwitch.pot	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\ClearProtect.docx	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\ConfirmUse.reg	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\LimitReceive.xlsx	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\InvokeLock.m4a	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\OutProtect.DVR-MS	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\RegisterHide.avi	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\SplitGet.mid	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\KRAB-DECRYPT.txt	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\CompareHide.doc	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\CompressApprove.wdp	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\ExportPop.ogg	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\KRAB-DECRYPT.txt	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\109c809a109c877a54.lock	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File created	C:\Program Files\109c809a109c877a54.lock	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\PublishConvert.potm	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File created	C:\Program Files (x86)\KRAB-DECRYPT.txt	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\SuspendEnable.ps1	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\DisablePing.vst	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\HideUninstall.rle	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\LockSync.mp2	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\RegisterSearch.vssx	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\RepairSend.bmp	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\RequestMount.zip	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\RevokeEnter.ps1	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File created	C:\Program Files (x86)\109c809a109c877a54.lock	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\CloseCopy.pot	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\ExitRequest.doc	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File opened for modification	C:\Program Files\GrantWrite.wps	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\109c809a109c877a54.lock	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
2220	2936	WerFault.exe	Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe
1604	1896	WerFault.exe	Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Trojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exeTrojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exeTrojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exeTrojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exewmic.exeTrojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe	nsis_installer_1
C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe	nsis_installer_2

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Trojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exeTrojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exeTrojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exe

pid	process
2688	Trojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exe
2560	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
2560	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
1536	Trojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

7zFM.exewmic.exevssvc.exe

description	pid	process
Token: SeRestorePrivilege	3048	7zFM.exe
Token: 35	3048	7zFM.exe
Token: SeSecurityPrivilege	3048	7zFM.exe
Token: SeIncreaseQuotaPrivilege	1636	wmic.exe
Token: SeSecurityPrivilege	1636	wmic.exe
Token: SeTakeOwnershipPrivilege	1636	wmic.exe
Token: SeLoadDriverPrivilege	1636	wmic.exe
Token: SeSystemProfilePrivilege	1636	wmic.exe
Token: SeSystemtimePrivilege	1636	wmic.exe
Token: SeProfSingleProcessPrivilege	1636	wmic.exe
Token: SeIncBasePriorityPrivilege	1636	wmic.exe
Token: SeCreatePagefilePrivilege	1636	wmic.exe
Token: SeBackupPrivilege	1636	wmic.exe
Token: SeRestorePrivilege	1636	wmic.exe
Token: SeShutdownPrivilege	1636	wmic.exe
Token: SeDebugPrivilege	1636	wmic.exe
Token: SeSystemEnvironmentPrivilege	1636	wmic.exe
Token: SeRemoteShutdownPrivilege	1636	wmic.exe
Token: SeUndockPrivilege	1636	wmic.exe
Token: SeManageVolumePrivilege	1636	wmic.exe
Token: 33	1636	wmic.exe
Token: 34	1636	wmic.exe
Token: 35	1636	wmic.exe
Token: SeIncreaseQuotaPrivilege	1636	wmic.exe
Token: SeSecurityPrivilege	1636	wmic.exe
Token: SeTakeOwnershipPrivilege	1636	wmic.exe
Token: SeLoadDriverPrivilege	1636	wmic.exe
Token: SeSystemProfilePrivilege	1636	wmic.exe
Token: SeSystemtimePrivilege	1636	wmic.exe
Token: SeProfSingleProcessPrivilege	1636	wmic.exe
Token: SeIncBasePriorityPrivilege	1636	wmic.exe
Token: SeCreatePagefilePrivilege	1636	wmic.exe
Token: SeBackupPrivilege	1636	wmic.exe
Token: SeRestorePrivilege	1636	wmic.exe
Token: SeShutdownPrivilege	1636	wmic.exe
Token: SeDebugPrivilege	1636	wmic.exe
Token: SeSystemEnvironmentPrivilege	1636	wmic.exe
Token: SeRemoteShutdownPrivilege	1636	wmic.exe
Token: SeUndockPrivilege	1636	wmic.exe
Token: SeManageVolumePrivilege	1636	wmic.exe
Token: 33	1636	wmic.exe
Token: 34	1636	wmic.exe
Token: 35	1636	wmic.exe
Token: SeBackupPrivilege	1804	vssvc.exe
Token: SeRestorePrivilege	1804	vssvc.exe
Token: SeAuditPrivilege	1804	vssvc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zFM.exe

pid process

3048 7zFM.exe
3048 7zFM.exe

pid	process
3048	7zFM.exe
3048	7zFM.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exeTrojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exeTrojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe

description	pid	process	target process
PID 2936 wrote to memory of 2220	2936	Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe	WerFault.exe
PID 2936 wrote to memory of 2220	2936	Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe	WerFault.exe
PID 2936 wrote to memory of 2220	2936	Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe	WerFault.exe
PID 2936 wrote to memory of 2220	2936	Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe	WerFault.exe
PID 1896 wrote to memory of 1604	1896	Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe	WerFault.exe
PID 1896 wrote to memory of 1604	1896	Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe	WerFault.exe
PID 1896 wrote to memory of 1604	1896	Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe	WerFault.exe
PID 1896 wrote to memory of 1604	1896	Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe	WerFault.exe
PID 2560 wrote to memory of 1636	2560	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe	wmic.exe
PID 2560 wrote to memory of 1636	2560	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe	wmic.exe
PID 2560 wrote to memory of 1636	2560	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe	wmic.exe
PID 2560 wrote to memory of 1636	2560	Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe	wmic.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00328.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3048

C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exe
"C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2688

C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe
"C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 28
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2220

C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
"C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\SysWOW64\wbem\wmic.exe
  "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1636

C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe
"C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 320
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:1604

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\00328\KRAB-DECRYPT.txt
1⤵
PID:1248

C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exe
"C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Credentials from Password Stores

2

T1555

Credentials from Web Browsers

1

T1555.003

Windows Credential Manager

1

T1555.004

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\KRAB-DECRYPT.txt

Filesize
8KB

MD5
d4aa211240fe42c87b0168b79a426ac2

SHA1
5fbe8df64dcd65fd9163960be9e8fb67f5feda33

SHA256
7670e4b5d546c501fe5bf39812a26bda71f34bd2b826708aed01d14f4bb73f32

SHA512
0e9288129f839fbf7be243b260e792d89a3dc6dd551065f45abdc861f1ea85e714c95b74a72c80448058afe6dfdbe0b8ecf5a7043d3dcf381096d1fe4f41178f

Download Submit
C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe

Filesize
620KB

MD5
656cc69b46593e3b3c8ea6a7a1ba014e

SHA1
8a8332b36643046c59de0f6fcb09b330f622ca02

SHA256
60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61

SHA512
5304105332ca0d5b2d1db58e634e0363516d352a6885b1019fe63aeadd9ba1ee397915d9dc0c80bf92d50b0685f3a9a690499372eedb4d08e7f7836f1d451552

Download Submit
C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe

Filesize
155KB

MD5
cc20143aa35e089367573b78d088d428

SHA1
26bbe3845ab534084ded8354740c0ce03277ab74

SHA256
683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72

SHA512
b47aac3f7626796ab0f4478137c54162004a09333bf6761db9a9458f4c3c732e7b2219b6759c86aa8052b0bbf18a8a4fa26ff08b5a6baaad2d0244aaae4e88f8

Download Submit
C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exe

Filesize
821KB

MD5
67bcba43a06d7d11d8cf7e44acd7fd21

SHA1
06f933753de3c825d488b1ced4ba90343ce4532e

SHA256
da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098

SHA512
a2435ea29047d973b8b0fe78a1c80154039a92b4f3af04bdf970713a4f601c7964211eee182d131f2e71031e2a2a11f95cc9e07549ccb16a4d74e10e5b9eb81a

Download Submit
memory/1536-869-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2560-15-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2560-866-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2688-14-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads