Overview
overview
10Static
static
10017b236bf3...d6.exe
windows7-x64
10017b236bf3...d6.exe
windows10-2004-x64
1005676f2007...fb.exe
windows7-x64
305676f2007...fb.exe
windows10-2004-x64
70a025116a8...57.exe
windows7-x64
80a025116a8...57.exe
windows10-2004-x64
8$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
31.exe
windows7-x64
81.exe
windows10-2004-x64
818674bbd9a...38.exe
windows7-x64
818674bbd9a...38.exe
windows10-2004-x64
8$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
3234901adb1...b2.exe
windows7-x64
10234901adb1...b2.exe
windows10-2004-x64
102ae06537d1...b6.exe
windows7-x64
82ae06537d1...b6.exe
windows10-2004-x64
8$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
32c02c65090...91.exe
windows7-x64
72c02c65090...91.exe
windows10-2004-x64
73.exe
windows7-x64
103.exe
windows10-2004-x64
10329b3ddbf1...f9.exe
windows7-x64
10329b3ddbf1...f9.exe
windows10-2004-x64
10336fe6e8bc...de.exe
windows7-x64
8336fe6e8bc...de.exe
windows10-2004-x64
8$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
34bd31921c8...be.exe
windows7-x64
84bd31921c8...be.exe
windows10-2004-x64
8Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 13:46
Behavioral task
behavioral1
Sample
017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
0a025116a860d7568fbda8ed84925cac06b13d6441eddf7428ac79359cd09b57.exe
Resource
win7-20241023-en
Behavioral task
behavioral6
Sample
0a025116a860d7568fbda8ed84925cac06b13d6441eddf7428ac79359cd09b57.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
1.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
18674bbd9af6e4e7396363a4f7d72312a50514f72ee4c4ceb131738801100438.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
18674bbd9af6e4e7396363a4f7d72312a50514f72ee4c4ceb131738801100438.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
234901adb1100979c1e842133901f0bb8617683efeed4e3d56245f71f71aa6b2.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
234901adb1100979c1e842133901f0bb8617683efeed4e3d56245f71f71aa6b2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
2ae06537d1e90d4ac1d2bca7c6309c9d1958f3e1ae9d7625bd914b10609d41b6.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
2ae06537d1e90d4ac1d2bca7c6309c9d1958f3e1ae9d7625bd914b10609d41b6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
3.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
336fe6e8bcdbe46641a6124436547df8e1090d978e3777d220bfa7553c9903de.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
336fe6e8bcdbe46641a6124436547df8e1090d978e3777d220bfa7553c9903de.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240729-en
Behavioral task
behavioral30
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
4bd31921c87104105a1f11a3cbe3a93bf74593220f70bf70f678d2d468c991be.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
4bd31921c87104105a1f11a3cbe3a93bf74593220f70bf70f678d2d468c991be.exe
Resource
win10v2004-20241007-en
General
-
Target
017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe
-
Size
97KB
-
MD5
125923ce61dffa8276a2a77e84d2832a
-
SHA1
1801bb09f18b2b491e0e1831c2765a96efc1e493
-
SHA256
017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6
-
SHA512
aac5ef5260702228a165e72f4721d7df414e33b92a64c8b00c440c9e15ae85aead9fe2d978eea72733f1df84eea9d06fdff04e69ff4f67b0592a1c4a3ae1b433
-
SSDEEP
1536:ufuwLvvKeqM0TRl79lvhWAwVl5OpqIyedIVjC3E87zcrHuTcxLUllPR:umwLXnqM0Nl795twDIyeeB8+HUiUj
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\BLHSN-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/697fbeabed4d5628
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (278) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\BLHSN-MANUAL.txt 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\ed4d51c5ed4d562541c.lock 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened (read-only) \??\Y: 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened (read-only) \??\A: 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened (read-only) \??\H: 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened (read-only) \??\I: 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened (read-only) \??\K: 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened (read-only) \??\L: 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened (read-only) \??\Q: 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened (read-only) \??\T: 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened (read-only) \??\U: 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened (read-only) \??\G: 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened (read-only) \??\Z: 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened (read-only) \??\V: 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened (read-only) \??\R: 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened (read-only) \??\W: 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened (read-only) \??\N: 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened (read-only) \??\E: 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened (read-only) \??\J: 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened (read-only) \??\M: 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened (read-only) \??\O: 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened (read-only) \??\P: 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened (read-only) \??\S: 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened (read-only) \??\B: 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe -
Drops file in Program Files directory 22 IoCs
description ioc Process File opened for modification C:\Program Files\SearchMerge.dxf 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened for modification C:\Program Files\StartInstall.tif 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\BLHSN-MANUAL.txt 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File created C:\Program Files\BLHSN-MANUAL.txt 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened for modification C:\Program Files\ConvertToCheckpoint.mp4 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened for modification C:\Program Files\InvokeWatch.xlsm 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened for modification C:\Program Files\ReadJoin.mov 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\ed4d51c5ed4d562541c.lock 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened for modification C:\Program Files\MeasureSubmit.aifc 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened for modification C:\Program Files\StartAssert.xltx 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\BLHSN-MANUAL.txt 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\BLHSN-MANUAL.txt 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File created C:\Program Files (x86)\ed4d51c5ed4d562541c.lock 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\ed4d51c5ed4d562541c.lock 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\ed4d51c5ed4d562541c.lock 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File created C:\Program Files\ed4d51c5ed4d562541c.lock 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened for modification C:\Program Files\ReadUnregister.mov 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened for modification C:\Program Files\UninstallGroup.ADTS 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File created C:\Program Files (x86)\BLHSN-MANUAL.txt 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened for modification C:\Program Files\DisconnectExpand.ps1 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened for modification C:\Program Files\ReadCheckpoint.TS 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe File opened for modification C:\Program Files\SwitchSync.doc 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2692 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2696 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe 2696 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1820 vssvc.exe Token: SeRestorePrivilege 1820 vssvc.exe Token: SeAuditPrivilege 1820 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2696 wrote to memory of 2252 2696 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe 31 PID 2696 wrote to memory of 2252 2696 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe 31 PID 2696 wrote to memory of 2252 2696 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe 31 PID 2696 wrote to memory of 2252 2696 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe 31 PID 2252 wrote to memory of 2692 2252 cmd.exe 33 PID 2252 wrote to memory of 2692 2252 cmd.exe 33 PID 2252 wrote to memory of 2692 2252 cmd.exe 33 PID 2252 wrote to memory of 2692 2252 cmd.exe 33 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe"C:\Users\Admin\AppData\Local\Temp\017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe"1⤵
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2692
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD54f7d528e6f8bbf60632ba45f1dcef4ee
SHA1eb3af21197133c37f3a8c1e7e1195b8d8a9cee41
SHA256209f6461c4298a4aeaa34a9e3a8381370632a54f07f8035e87eafc602edacdaa
SHA512bf4f7b572459ac7349e6394a4dd4de82e547de36514c21379bb2226de14365fd4d11d6789b11c304f3e53ed2646f9ff5f53c657b929ae69e49b654a11bda9397