Overview

overview

10

Static

static

10

017b236bf3...d6.exe

windows7-x64

10

05676f2007...fb.exe

windows7-x64

3

0a025116a8...57.exe

windows7-x64

8

1.exe

windows7-x64

8

18674bbd9a...38.exe

windows7-x64

8

234901adb1...b2.exe

windows7-x64

10

2ae06537d1...b6.exe

windows7-x64

8

2c02c65090...91.exe

windows7-x64

7

3.exe

windows7-x64

10

329b3ddbf1...f9.exe

windows7-x64

10

336fe6e8bc...de.exe

windows7-x64

8

4bd31921c8...be.exe

windows7-x64

8

4e180437ef...a9.exe

windows7-x64

1

539b0b5d54...05.exe

windows7-x64

10

53bf3a0bff...35.exe

windows7-x64

8

$PLUGINSDIR/INetC.dll

windows7-x64

3

5d63c27043...42.exe

windows7-x64

8

$PLUGINSDIR/INetC.dll

windows7-x64

3

5d6e1eeab9...84.exe

windows7-x64

8

63136e1d44...b5.exe

windows7-x64

8

658110c095...6f.exe

windows7-x64

8

74cafa4165...c5.exe

windows7-x64

8

88bf025119...30.exe

windows7-x64

5

9fbf62bd6a...a0.exe

windows7-x64

9

a89591555b...df.exe

windows7-x64

10

add230a2e7...10.exe

windows7-x64

10

c83bf900eb...31.exe

windows7-x64

10

ccbf53569b...71.exe

windows7-x64

8

db725306e6...8b.exe

windows7-x64

10

e035a1741d...5f.exe

windows7-x64

7

e2f4dfe61d...f8.exe

windows7-x64

8

f10e957b92...41.exe

windows7-x64

8

Analysis

  • max time kernel
    614s
  • max time network
    618s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 13:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    234901adb1100979c1e842133901f0bb8617683efeed4e3d56245f71f71aa6b2.exe

  • Size

    93KB

  • MD5

    bdbca2193b35706fef4ce9368af7a886

  • SHA1

    216e8cf79eced5dba6365b1648cb8ca126ef0cae

  • SHA256

    234901adb1100979c1e842133901f0bb8617683efeed4e3d56245f71f71aa6b2

  • SHA512

    af70ab8b4738a2c5a7869f202a850357d71cb43d67498b87525924dfbd2f456254d0ecb4c2651797b2ec75c3717cf0a4433a7d7573a27bbb55ac644c75009a49

  • SSDEEP

    1536:7w2p3ieRXCkxEoSXf6GizDhp2keW8PaoYEXOcrHuTc+N:cSyex5yoSPmzKkeW8iEXjHU

Score
10/10
gandcrabbackdoorcredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\KNBVE-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KNBVE The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/b868264b1fb48b44 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAH6uJTqtekVsMhi3Mrle8/zHY8cfVeKIIC2uJ+K6PaKa7fkFQitwLj/kWIRo1AsEHQbe2t3oT04vNYMsNz7EreyIh4P4AHMg1w8UVDGzQB4M4hbxlqSBm0X0aBZP/fPGyvZe5WL+EpijMAj5p+xpo9DgLQd/+ghoqIhG/PUfp4igYiZKfrGoFRE1A3RHEwT+UCCbujAa15TtlptwQGCP3FJTwLCZVoRWB7KHm6JUUzQjmtizwdmpHQcP8rqAWiK3noFtNQ06PlBXFdM/quJiyRGkEE80/StL6vmrQWoY7uqpJCY71WSo9pBBSX/GG287i6F9cUiprz6fpDR06WksKJfOrwcKY1B2EBeI2Y9U8c20/WbntAyjnFzwm1gUxF5ZOjIaO77RJ+grNDwUKzgJQRU4DTvuV/t3PAQsyXCAajtZsyShrgnqhxE5x5C8YsrCYn5GalQkX7y6XjRsEDhBdIDNNPkygPu3/v9WDwhwvMZaLDe9dhzdkE2H5GE5bX1U3kQuATsLZ5Z7WwbH5GXni4Yh+ilEA2JjRRbg0PG6vxWWjj4kV8CodhPIr1YF+bQJQfplEHbBbo0dvzHZy9l7+MC9ly2pEEsTJk28lU2MH/LtIyWPSh1/dalyB4P64DYoys5Shc6pCniQ4bcQc1QfJQCg4DF/rdg9c1u7s9AGEO+ceWsciCaiIhDGJJV/H5Jq9HssrddRpf8GYJScsHyzm3tNLxxDM1eUPAVjY4LJVIn18C4TJJCeyTuHwzJe+XxxC8Pv4WeRPFlwId8Gnh1/smYo+ATZs1na2EK18zTXQ50WetyZeuaQHMdzkKsDz40xeEdeSjt0OmOYVkHQWCty9i/UxIi+mcCUTgSfc1l2a99RNro1pcv37fSDBMcfoBgq1a4idDPfElzxlbF3uePBzcnj55dnK9KrWfK4bXxZdvxn/LSc4HG1ZVW1x72ltgVyPBQodIxDHGGF4w5BglDFK71/DH7jaHBKg9D7gqn6mFo5RTu+seUGlee2mMOxZAbXRoMLfWbGk9eQueX/SnaByiarmRht6gsaWAHKWtd9gBm6I0EOL08ILfGQ3oyET92POkZzQ0Nf2scTZrNrnJQ9zKwB2J0ijDn8YaqobL/g9fgz/VnwJg7uFddD1C2sozsb6v1eT1HCUilHS2Iu+TI6mcUawYV1gnnpL5zz7H1+yt4lPO9CvN34bLGpFElQHFW9A54BLnsAOVvuuhKFU0GtP3k0kdVTrV2c0abQpqZ6UkPqVZg8hNG9GJ48Q9w1hO+F2ld3ZmCdYyvCbB/Ft61kLoSe0NGnaaj0nq/8ui+acePuCMp/uhDgTcy7uJ8zFVnxBgF80CZGIUzFM2oYrkoTH1yW+N9GGiWk2rvSBhga2NWu7wHG+6l9Rx8HKCFbeAEBzTn97Q1jz5jKcMzSFmTeaDXPz1B7LxgxXKXtwZC17e8YojIBNBjeeJcf5Te922R4p9oQs0soJZRkHeqA/4fdU+PdzUsK0clc6Ib02QJ3SX1SZfdug3MW05YF/M3a7BAoLcJvtzt/UZTRPPtrwU/eQ70Ua/pd1A0CF7WV2wuGysuBBEzraSB5EP3LV2pdnSWLTXdC5C/9VK/uNC4P8qkzOfJEbqjgZ50dBQcW+XO+3PYmhgD+5Z1RUvjfctPlORnrGDFdSAl1uvvQhElOiF4KJFrzyHdCQJ0gveR7HLInGrHTfKKMBe7oRlbUltiNlJKo72p+5AFa+AeABRPGQQ5q1R9zd6/GfKP6R1475k9Hjw8QwcrXZkB6PPkvsvTD/SqnGXxNK33bbC81UW/rA2wXBn3ktU9zDKdIQ+Vmm3JuPtCvBVL43cpztaN+iqhJpo4iQkeFdGyB8sCSJyZ48mOlS+MZOAx7chMEujJHD7kOViFLG6hTVkeY0b2N+L3s0a936qJkaV+z/bzLB/uqZ4z8vsFBp/wo1LOijTFPdFOJ+42MCiSpQkJxbIIYxjw/lMnpBjDWfVuLT/KvU7YGMGh+EmplTec7LXy44clgjqAExOtbBkWN86sHZ06t7npapYJVFxIkpJDV1f/f6MSy7B4aT81ei3Pq2g6teg247ct/Koru7shUjjJ4MUoav9GONgQofCmzp0NT6/nUIgXfMT2mQLOEJE068WAzSCbgOfVtnxdsF6k0xvK2fN3mkVsybGBnC8sJv0AGlYIhbr51ECtoRjrzPCCxmPDaog7cu/hPPhCSL2KGSGZDQfjM9Ii/axLpbW2jVqQ= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDr9MzJMpDfAueVs+DJRX7IKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2mU0R7+dxfWLoypoW25ypHEnKnMMuBl1Cmehqo5VrrnNSZu19KSVzOtTAymPz79ICyGBkpCKj0RQwVePfN00RSVCDNtLyJddAPBiJqqsZsR+G3Z7GemdCRhEfSP93y+PNzLOzjDaO2rwVWxuZ2TzbJpvbdL0N0zPfgSzCzhqApoTPFpp2CPDOx6ihEudzoNVoM6j2VyOmqqBlvZbwDrtsypS8B1filVjmQ7q14GuxOgTOwQUyhb/ofzNwkLQejqrjTwFji9zPbKPSghI2dWKf+5gkQvDGihIFfEv5EsSM5AN7hzdQVIFj1CUHPyeWMbJ0A1gw/7uRQeyoEinT3CrvrP9dFPEuVKsorLqwb4AnecHqVubCDEZSsSLSNnIyaZEI9b5008FGYczrSlaIGDBHFzoGoqA9wiUaNxMzG ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/b868264b1fb48b44

Signatures

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Gandcrab family
    gandcrab
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (277) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 30 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\234901adb1100979c1e842133901f0bb8617683efeed4e3d56245f71f71aa6b2.exe
    "C:\Users\Admin\AppData\Local\Temp\234901adb1100979c1e842133901f0bb8617683efeed4e3d56245f71f71aa6b2.exe"
    1⤵
    • Drops startup file
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Windows\SysWOW64\wbem\wmic.exe
      "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:588
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2980
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\KNBVE-MANUAL.txt
    1⤵
      PID:1192

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\KNBVE-MANUAL.txt
      Filesize

      8KB

      MD5

      87170f1d236b237dfba228bad745be13

      SHA1

      d2731e24ba83fe288b3951d2e75319394368961d

      SHA256

      8740b90ba0bbe2f41ca9c7a5dd2e5669979fe894ce6dd15b9a7413b5cfcaeb7d

      SHA512

      2af9670f31ef646da23cb9796a90ffc137fddc945eda12b6e48732e74664d57ccb23a68e7a7e54f570f2013615ababfa05dd16cc9c4bd7e2f63967809b9b6857

      Download Submit