Analysis
-
max time kernel
141s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
28-11-2024 19:53
Static task
static1
Behavioral task
behavioral1
Sample
GandCrab.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
GandCrab.exe
Resource
win10v2004-20241007-en
General
-
Target
GandCrab.exe
-
Size
291KB
-
MD5
e6b43b1028b6000009253344632e69c4
-
SHA1
e536b70e3ffe309f7ae59918da471d7bf4cadd1c
-
SHA256
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a
-
SHA512
07da214314673407a7d3978ee6e1d20bf1e02f135bf557e86b50489ecc146014f2534515c1b613dba96e65489d8c82caaa8ed2e647684d61e5e86bd3e8251adf
-
SSDEEP
6144:nSRCSpUtLz+/enihebWBUOP3yIhLVMmi0CtG7go+I:SUOEnNnHbmP3yIE3tGX
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\KJFZSEE-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/a3b83387d7d3a9ef
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (288) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\KJFZSEE-MANUAL.txt GandCrab.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\d7d3ae02d7d3a9e2314.lock GandCrab.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: GandCrab.exe File opened (read-only) \??\E: GandCrab.exe File opened (read-only) \??\J: GandCrab.exe File opened (read-only) \??\U: GandCrab.exe File opened (read-only) \??\W: GandCrab.exe File opened (read-only) \??\S: GandCrab.exe File opened (read-only) \??\X: GandCrab.exe File opened (read-only) \??\Y: GandCrab.exe File opened (read-only) \??\Z: GandCrab.exe File opened (read-only) \??\H: GandCrab.exe File opened (read-only) \??\K: GandCrab.exe File opened (read-only) \??\M: GandCrab.exe File opened (read-only) \??\R: GandCrab.exe File opened (read-only) \??\T: GandCrab.exe File opened (read-only) \??\O: GandCrab.exe File opened (read-only) \??\P: GandCrab.exe File opened (read-only) \??\Q: GandCrab.exe File opened (read-only) \??\A: GandCrab.exe File opened (read-only) \??\G: GandCrab.exe File opened (read-only) \??\I: GandCrab.exe File opened (read-only) \??\L: GandCrab.exe File opened (read-only) \??\N: GandCrab.exe File opened (read-only) \??\V: GandCrab.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" GandCrab.exe -
Drops file in Program Files directory 43 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\KJFZSEE-MANUAL.txt GandCrab.exe File opened for modification C:\Program Files\LockUninstall.mhtml GandCrab.exe File opened for modification C:\Program Files\NewStep.mhtml GandCrab.exe File opened for modification C:\Program Files\RequestSync.aif GandCrab.exe File opened for modification C:\Program Files\ResetSync.raw GandCrab.exe File opened for modification C:\Program Files\ConnectStep.ps1 GandCrab.exe File opened for modification C:\Program Files\FormatGroup.ttc GandCrab.exe File opened for modification C:\Program Files\ResumeSuspend.dxf GandCrab.exe File opened for modification C:\Program Files\EnableRequest.tiff GandCrab.exe File opened for modification C:\Program Files\SendGrant.TS GandCrab.exe File opened for modification C:\Program Files\UnblockJoin.clr GandCrab.exe File opened for modification C:\Program Files\UnblockSkip.3gp GandCrab.exe File opened for modification C:\Program Files\WriteNew.odt GandCrab.exe File created C:\Program Files (x86)\KJFZSEE-MANUAL.txt GandCrab.exe File created C:\Program Files\KJFZSEE-MANUAL.txt GandCrab.exe File opened for modification C:\Program Files\CompleteEdit.tif GandCrab.exe File opened for modification C:\Program Files\PopEdit.css GandCrab.exe File opened for modification C:\Program Files\ResumeBackup.gif GandCrab.exe File created C:\Program Files (x86)\d7d3ae02d7d3a9e2314.lock GandCrab.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\d7d3ae02d7d3a9e2314.lock GandCrab.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\KJFZSEE-MANUAL.txt GandCrab.exe File opened for modification C:\Program Files\ApproveAdd.mpv2 GandCrab.exe File opened for modification C:\Program Files\GetEnter.reg GandCrab.exe File opened for modification C:\Program Files\ResumeUnlock.edrwx GandCrab.exe File opened for modification C:\Program Files\UnpublishRename.emf GandCrab.exe File opened for modification C:\Program Files\DismountLimit.xhtml GandCrab.exe File opened for modification C:\Program Files\ExpandMeasure.wmx GandCrab.exe File opened for modification C:\Program Files\ExportUninstall.vsx GandCrab.exe File opened for modification C:\Program Files\BlockSearch.m4v GandCrab.exe File opened for modification C:\Program Files\CloseResume.ADT GandCrab.exe File opened for modification C:\Program Files\ConvertFromUnblock.xla GandCrab.exe File opened for modification C:\Program Files\DenyPing.css GandCrab.exe File created C:\Program Files\d7d3ae02d7d3a9e2314.lock GandCrab.exe File opened for modification C:\Program Files\JoinSplit.7z GandCrab.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\d7d3ae02d7d3a9e2314.lock GandCrab.exe File opened for modification C:\Program Files\UpdateComplete.nfo GandCrab.exe File opened for modification C:\Program Files\WatchSend.ttc GandCrab.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\KJFZSEE-MANUAL.txt GandCrab.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\d7d3ae02d7d3a9e2314.lock GandCrab.exe File opened for modification C:\Program Files\CompressConvertTo.clr GandCrab.exe File opened for modification C:\Program Files\ConvertMove.htm GandCrab.exe File opened for modification C:\Program Files\CopySkip.mp3 GandCrab.exe File opened for modification C:\Program Files\DenyOpen.vst GandCrab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GandCrab.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier GandCrab.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GandCrab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GandCrab.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1960 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1820 GandCrab.exe 1820 GandCrab.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2332 vssvc.exe Token: SeRestorePrivilege 2332 vssvc.exe Token: SeAuditPrivilege 2332 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1820 wrote to memory of 2864 1820 GandCrab.exe 30 PID 1820 wrote to memory of 2864 1820 GandCrab.exe 30 PID 1820 wrote to memory of 2864 1820 GandCrab.exe 30 PID 1820 wrote to memory of 2864 1820 GandCrab.exe 30 PID 2864 wrote to memory of 1960 2864 cmd.exe 32 PID 2864 wrote to memory of 1960 2864 cmd.exe 32 PID 2864 wrote to memory of 1960 2864 cmd.exe 32 PID 2864 wrote to memory of 1960 2864 cmd.exe 32 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\GandCrab.exe"C:\Users\Admin\AppData\Local\Temp\GandCrab.exe"1⤵
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1960
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5270852011016ad95af793b85654fe197
SHA10c39c83bac3358dfdd3927ef4b6c66976c45bafb
SHA25616d40132295ca77d5c87c0c609959c1c6ee09ffd57e1dd21fa7592e35116a4fa
SHA51235241fd48d7d511fb57003ebb02d85a329c7f89abadea277bdb5fb43b9b2fee03dd664e8e7ae1f429284115922884b105a29b95985497eef95e37fe83fb96dd1