Malware Analysis Report

2024-12-07 17:35

Sample ID 241112-wg3q3awqgt
Target RNSM00328.7z
SHA256 da339696b9080919ca4df03e3ae91451043b92e22d6eb05a9caa88b2b60e6dd6
Tags
gandcrab backdoor credential_access defense_evasion discovery execution impact ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da339696b9080919ca4df03e3ae91451043b92e22d6eb05a9caa88b2b60e6dd6

Threat Level: Known bad

The file RNSM00328.7z was found to be: Known bad.

Malicious Activity Summary

gandcrab backdoor credential_access defense_evasion discovery execution impact ransomware spyware stealer

Gandcrab family

Gandcrab

Deletes shadow copies

Renames multiple (326) files with added filename extension

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Enumerates connected drives

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

NSIS installer

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 17:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 17:54

Reported

2024-11-12 17:55

Platform

win7-20240903-en

Max time kernel

40s

Max time network

38s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00328.7z"

Signatures

Gandcrab

ransomware backdoor gandcrab

Gandcrab family

gandcrab

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (326) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\KRAB-DECRYPT.txt C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\109c809a109c877a54.lock C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\RemoveOpen.docx C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\SubmitImport.mpg C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\KRAB-DECRYPT.txt C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\ConvertSave.pot C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\EnterExpand.mid C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\GetSubmit.aiff C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\OutExpand.xhtml C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\ResolveBlock.nfo C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\109c809a109c877a54.lock C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File created C:\Program Files\KRAB-DECRYPT.txt C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\UninstallLimit.mpeg C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\PushMount.xlsm C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\SelectDeny.TTS C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\TraceSwitch.pot C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\ClearProtect.docx C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\ConfirmUse.reg C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\LimitReceive.xlsx C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\InvokeLock.m4a C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\OutProtect.DVR-MS C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\RegisterHide.avi C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\SplitGet.mid C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\KRAB-DECRYPT.txt C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\CompareHide.doc C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\CompressApprove.wdp C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\ExportPop.ogg C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\KRAB-DECRYPT.txt C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\109c809a109c877a54.lock C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File created C:\Program Files\109c809a109c877a54.lock C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\PublishConvert.potm C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File created C:\Program Files (x86)\KRAB-DECRYPT.txt C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\SuspendEnable.ps1 C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\DisablePing.vst C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\HideUninstall.rle C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\LockSync.mp2 C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\RegisterSearch.vssx C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\RepairSend.bmp C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\RequestMount.zip C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\RevokeEnter.ps1 C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File created C:\Program Files (x86)\109c809a109c877a54.lock C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\CloseCopy.pot C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\ExitRequest.doc C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File opened for modification C:\Program Files\GrantWrite.wps C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\109c809a109c877a54.lock C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 2220 N/A C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe C:\Windows\SysWOW64\WerFault.exe
PID 2936 wrote to memory of 2220 N/A C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe C:\Windows\SysWOW64\WerFault.exe
PID 2936 wrote to memory of 2220 N/A C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe C:\Windows\SysWOW64\WerFault.exe
PID 2936 wrote to memory of 2220 N/A C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe C:\Windows\SysWOW64\WerFault.exe
PID 1896 wrote to memory of 1604 N/A C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe C:\Windows\SysWOW64\WerFault.exe
PID 1896 wrote to memory of 1604 N/A C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe C:\Windows\SysWOW64\WerFault.exe
PID 1896 wrote to memory of 1604 N/A C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe C:\Windows\SysWOW64\WerFault.exe
PID 1896 wrote to memory of 1604 N/A C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe C:\Windows\SysWOW64\WerFault.exe
PID 2560 wrote to memory of 1636 N/A C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2560 wrote to memory of 1636 N/A C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2560 wrote to memory of 1636 N/A C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2560 wrote to memory of 1636 N/A C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe C:\Windows\SysWOW64\wbem\wmic.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00328.7z"

C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exe

"C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exe"

C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe

"C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 28

C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe

"C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe"

C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe

"C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 320

C:\Windows\SysWOW64\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\00328\KRAB-DECRYPT.txt

C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exe

"C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.billerimpex.com udp
US 8.8.8.8:53 www.macartegrise.eu udp
US 172.67.145.98:80 www.macartegrise.eu tcp
US 172.67.145.98:443 www.macartegrise.eu tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 www.poketeg.com udp
US 104.155.138.21:80 www.poketeg.com tcp
US 104.155.138.21:80 www.poketeg.com tcp
US 8.8.8.8:53 perovaphoto.ru udp
US 8.8.8.8:53 asl-company.ru udp
RU 87.236.16.243:80 asl-company.ru tcp
RU 87.236.16.243:80 asl-company.ru tcp
US 8.8.8.8:53 www.fabbfoundation.gm udp
US 66.235.200.146:80 www.fabbfoundation.gm tcp
US 66.235.200.146:443 www.fabbfoundation.gm tcp
US 8.8.8.8:53 www.perfectfunnelblueprint.com udp
US 8.8.8.8:53 www.wash-wear.com udp
US 104.21.40.198:80 www.wash-wear.com tcp

Files

C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Purga.hf-da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098.exe

MD5 67bcba43a06d7d11d8cf7e44acd7fd21
SHA1 06f933753de3c825d488b1ced4ba90343ce4532e
SHA256 da1cc6a846326aa237ae0d8db950d960f411e33157debaf6e826772213bb6098
SHA512 a2435ea29047d973b8b0fe78a1c80154039a92b4f3af04bdf970713a4f601c7964211eee182d131f2e71031e2a2a11f95cc9e07549ccb16a4d74e10e5b9eb81a

C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.Globim.ge-683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72.exe

MD5 cc20143aa35e089367573b78d088d428
SHA1 26bbe3845ab534084ded8354740c0ce03277ab74
SHA256 683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72
SHA512 b47aac3f7626796ab0f4478137c54162004a09333bf6761db9a9458f4c3c732e7b2219b6759c86aa8052b0bbf18a8a4fa26ff08b5a6baaad2d0244aaae4e88f8

C:\Users\Admin\Desktop\00328\Trojan-Ransom.Win32.GandCrypt.cqo-60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61.exe

MD5 656cc69b46593e3b3c8ea6a7a1ba014e
SHA1 8a8332b36643046c59de0f6fcb09b330f622ca02
SHA256 60b862503ba4a49bd19e492f979cc56f0017ae773c825848422730a88d1efe61
SHA512 5304105332ca0d5b2d1db58e634e0363516d352a6885b1019fe63aeadd9ba1ee397915d9dc0c80bf92d50b0685f3a9a690499372eedb4d08e7f7836f1d451552

memory/2688-14-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/2560-15-0x0000000000400000-0x00000000004DF000-memory.dmp

C:\MSOCache\KRAB-DECRYPT.txt

MD5 d4aa211240fe42c87b0168b79a426ac2
SHA1 5fbe8df64dcd65fd9163960be9e8fb67f5feda33
SHA256 7670e4b5d546c501fe5bf39812a26bda71f34bd2b826708aed01d14f4bb73f32
SHA512 0e9288129f839fbf7be243b260e792d89a3dc6dd551065f45abdc861f1ea85e714c95b74a72c80448058afe6dfdbe0b8ecf5a7043d3dcf381096d1fe4f41178f

memory/2560-866-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/1536-869-0x0000000000400000-0x00000000004D4000-memory.dmp