Analysis Overview
SHA256
da339696b9080919ca4df03e3ae91451043b92e22d6eb05a9caa88b2b60e6dd6
Threat Level: Known bad
The file RNSM00328.7z was found to be: Known bad.
Malicious Activity Summary
Gandcrab family
Gandcrab
Deletes shadow copies
Renames multiple (326) files with added filename extension
Credentials from Password Stores: Windows Credential Manager
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Enumerates connected drives
Drops file in Program Files directory
Program crash
Enumerates physical storage devices
System Location Discovery: System Language Discovery
NSIS installer
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 17:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 17:54
Reported
2024-11-12 17:55
Platform
win7-20240903-en
Max time kernel
40s
Max time network
38s
Command Line
Signatures
Gandcrab
Gandcrab family
Deletes shadow copies
Renames multiple (326) files with added filename extension
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\KRAB-DECRYPT.txt | C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\109c809a109c877a54.lock | C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
Drops file in Program Files directory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00328.7z"
C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exe
"C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exe"
C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe
"C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 28
C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
"C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe"
C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe
"C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 320
C:\Windows\SysWOW64\wbem\wmic.exe
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\00328\KRAB-DECRYPT.txt
C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exe
"C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.billerimpex.com | udp |
| US | 8.8.8.8:53 | www.macartegrise.eu | udp |
| US | 172.67.145.98:80 | www.macartegrise.eu | tcp |
| US | 172.67.145.98:443 | www.macartegrise.eu | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | www.poketeg.com | udp |
| US | 104.155.138.21:80 | www.poketeg.com | tcp |
| US | 104.155.138.21:80 | www.poketeg.com | tcp |
| US | 8.8.8.8:53 | perovaphoto.ru | udp |
| US | 8.8.8.8:53 | asl-company.ru | udp |
| RU | 87.236.16.243:80 | asl-company.ru | tcp |
| RU | 87.236.16.243:80 | asl-company.ru | tcp |
| US | 8.8.8.8:53 | www.fabbfoundation.gm | udp |
| US | 66.235.200.146:80 | www.fabbfoundation.gm | tcp |
| US | 66.235.200.146:443 | www.fabbfoundation.gm | tcp |
| US | 8.8.8.8:53 | www.perfectfunnelblueprint.com | udp |
| US | 8.8.8.8:53 | www.wash-wear.com | udp |
| US | 104.21.40.198:80 | www.wash-wear.com | tcp |
Files
C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exe
| MD5 | 67bcba43a06d7d11d8cf7e44acd7fd21 |
| SHA1 | 06f933753de3c825d488b1ced4ba90343ce4532e |
| SHA256 | da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098 |
| SHA512 | a2435ea29047d973b8b0fe78a1c80154039a92b4f3af04bdf970713a4f601c7964211eee182d131f2e71031e2a2a11f95cc9e07549ccb16a4d74e10e5b9eb81a |
C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe
| MD5 | cc20143aa35e089367573b78d088d428 |
| SHA1 | 26bbe3845ab534084ded8354740c0ce03277ab74 |
| SHA256 | 683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72 |
| SHA512 | b47aac3f7626796ab0f4478137c54162004a09333bf6761db9a9458f4c3c732e7b2219b6759c86aa8052b0bbf18a8a4fa26ff08b5a6baaad2d0244aaae4e88f8 |
C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe
| MD5 | 656cc69b46593e3b3c8ea6a7a1ba014e |
| SHA1 | 8a8332b36643046c59de0f6fcb09b330f622ca02 |
| SHA256 | 60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61 |
| SHA512 | 5304105332ca0d5b2d1db58e634e0363516d352a6885b1019fe63aeadd9ba1ee397915d9dc0c80bf92d50b0685f3a9a690499372eedb4d08e7f7836f1d451552 |
memory/2688-14-0x0000000000400000-0x00000000004D4000-memory.dmp
memory/2560-15-0x0000000000400000-0x00000000004DF000-memory.dmp
C:\MSOCache\KRAB-DECRYPT.txt
| MD5 | d4aa211240fe42c87b0168b79a426ac2 |
| SHA1 | 5fbe8df64dcd65fd9163960be9e8fb67f5feda33 |
| SHA256 | 7670e4b5d546c501fe5bf39812a26bda71f34bd2b826708aed01d14f4bb73f32 |
| SHA512 | 0e9288129f839fbf7be243b260e792d89a3dc6dd551065f45abdc861f1ea85e714c95b74a72c80448058afe6dfdbe0b8ecf5a7043d3dcf381096d1fe4f41178f |
memory/2560-866-0x0000000000400000-0x00000000004DF000-memory.dmp
memory/1536-869-0x0000000000400000-0x00000000004D4000-memory.dmp