Overview

overview

10

Static

static

3

2024-12-15...ia.exe

windows7-x64

10

2024-12-15...ia.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-12-2024 03:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-12-15_1f1bd29d45c5ab7b60bd03e37e3e2c01_karagany_mafia.exe

  • Size

    250KB

  • MD5

    1f1bd29d45c5ab7b60bd03e37e3e2c01

  • SHA1

    6c36fc36ba6f88dd4dc22b5801a14d61c70f44b4

  • SHA256

    7da47ee5bb9211fa7e07b158c4e9a425a69cbae6bdbcb7200e09593d74d37e37

  • SHA512

    5cc9b9a5e0dfb6f03bdff7828cc637443f54b16c977e8c3998573fa9fdb268a4202d2d87a92371c8ea5fb37b6eae293ae760bf17b3c6f89446a8821ceb1ce522

  • SSDEEP

    3072:7HvXSC+AQalUoA/INvHc7aEBN82RSVRnoxhsI/5muYDAuBauuuuuuMuWauuuuuuw:7D+A0Z/IlbctOR4hsI

Score
10/10
gandcrabbackdoorcredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-4177215427-74451935-3209572229-1000\KRAB-DECRYPT.txt

Ransom Note
---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/ef2d62a9f35db12a | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAANewPEuW8so28d8FkINdvGF4GbXDiP5ffCMoYtRBEhIgnKbp9FzQw/n/XgMEpbreVnOXTywrXHyvcF6j9dDn5XtchZBYKqATH1AtZ4JuTj/nh/MPdyUAKkn5o218FDNtzZyaVFuGaEY5NSzrvMQSIx9qQOK696qiWX6UwrhZt33koaeARRsalPNOETZMZZAlON7Wg2ODlHLU+Cxhz6ay4MrZUjL5k8Rchp4jxRO8FVu3cVrVHenK3uQr5Fi4jlvhP9C7jIxmkQdTTNsXMhQdT8+LJyunUcJ0UENDJXIoXR+erNDijiDHzxXcfp++Nk6TFc6WQdlpLctwZE8OvhcdMFA1+eFeHw3gA8GL15/O3/U8+iUxBsxcUu9OvW4lCCKywAK/H+Zp5sWpEvrQpjDbDiclNbB+uRmXs6m0OFV144RiLZicmgn94S0BvZP/801MOPHasw8XvVj6RMR/K6mrHfHNkqXs043Pcu32dLOnxCuWHDO5uj5gPcvs1FBVKcxm+seCankTJvkDwPMp4mGm5kLXFd7Z1HdQ3vdn3oJkCsC6UUfvm+MbKHS4hQu+fepn8raTk11mUCwf1m0ugqGlFwODo84fAKH4G2aIvfCzbhAIKM78MLujHkrVhiKZNEw7BXO+bbh4uwhtIYE3Wmeam5iDlQ2Fg7c/l5H5UdxuCABHAQx1Gt+mx/Q80l16WKZH8srMlSnuDzUoU4B3Vkga5DJnPM1GkhwGH0CtIh7LHn2Xn2coVtT+OvRe07GgYfaZDjylseXzo6K7VI+jxyusCIdRDp/6kV9i8Gm39BtWFIouoKMwFyUHvuGJbDVirMedBs8qmGV1jY8WmmtZM+BH2DVzXGwx6MuokeUQpp+0qSZ/7SFzNNt2XJE5kofqIoqVJqxgp5M34r068EwPsrNZ+rCver9O1GWVADz8MbSC7D4AduUjKRc64AO4RXha4AZt0SWTrRIsj2Xd1QGfNUjvbTirjmLSg9CnwZdtuvzfs0EqsbRp8kP3UTzo9rkVTwhX7khQ5At8j2SIu3z98ng+o7EG7SPtow3e7jgZ73NJbvfUcOXfLtPiGpRQfff5/6Gs3wskr/aaAKRejQf8qrSkQ/amP/E3wjMfFjGHwWd1Oq3zup7Ys7cv5G0gHgI3BXXDMbqMCmX/2qq2ujPZXR1YDOa3FXsFz+ZKD+9mtTxpcXpdH0avl64bw0C/FHMMyXtc5xTlSy2EFtOvYX4l9GCm+B+886mmDl1tkuOnHPuMqVHZnq+rp+AYUDpt1dE6SNw9k7YLY0US5RZnUFfM4uN4udLsI/6mysVkaEa/HjTzJuQYD8CLqIdJiK1OcRHmhUCbwFoQf2+OONWrYRsGGkFmitsTtcn9ePKHVgbbWbpmks51OP+R7dGhNaJmdlnJ6ThXWsn1uYGHlY7XuB6GncK8haq24uvnYpMPyqne+QJ8tdiKk2/O2bMnYekISPYtxv/wG8IEYabrZHFdTthQijoVipQz4zj7BcrnDp+fKmF7AqJfatd3Lc3EEqWiymbrtyWK7xKfsGYylNpuN2PHlyw5x42pLBz3vvdYEsyFAy5ImxRtExDzysILp2zSuL0pRbdQOHqHbMQuu54yu4xICfS/R4FpKt/aPwLooQxMbvO3A5ISTxugjvp/uH6a8fTY2C1jq8upYfX8b6KRGLfR1pxW4DxOPfL+EDgmKC6BnNPJTgyur4Q4GniEsjj8lomZkuWXp1KIe2qc6n0E43F+xr6WBp/sdJuHCfSTCYzqUdoGZUAUenkOoL95d13puvwLXfUx6zo0+d4p1GWfJ7mCTgzfZsaR+vWZkTgz1T3gRXzify30cgJhe8KkfolU93TNoD6DbeUORqlMrKDLwcw+3JMqMx9VDTqtFGAThDSHNvLJN6Bfy54b8tQJE7q4Yp2xdSZ7OKP3XzwT/qc9bgwPJpA61dtFHXFdsBNzTnd8HIA2HAQaMO7rNmDt5nMpxgnMZfTSTiLff1EoVFG9fI9F7EAt5B/GBeAfYE18LHf8v0OYIHEOruWdS04fFE7GC6hLSs839dLsZSZ+e3o9AnOY2xzkjgDeJ4zYyvKzFraNk3CrRKKhv1qZRtLVz2jcxBlFBiO6fo+ppRPTncWIFaReblHuaobpWRHfycvSFhLogKQIoOjZz5/W/weA7SjzIhQ2vHaHiTGh3A7lfXVnpgCPTHIGbIM0bsgiYBHWkBvtKmqTrpbQHpCLcRnm2Doqzk3yBkGXik9Q5Pw= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZdToRRs3YK7mpWq7fFTHWHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+BitrEkkUrBtOKi/2Q2QOsvGo1Yb1qGBnPt/xHXEdsb8CcE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg72Zi/pDxFL3vfLOOao1wQZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMbJHwHowOP7+LRYsPy4knV/fu67PJzMP9LnZDh5szqewLRaRtAf+EbjLWuuIPXpFeJdR69BFhflKE2uFgzGnXLQQzyAtYfjv5 ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/ef2d62a9f35db12a

Signatures

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Gandcrab family
    gandcrab
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (334) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 45 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-15_1f1bd29d45c5ab7b60bd03e37e3e2c01_karagany_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-15_1f1bd29d45c5ab7b60bd03e37e3e2c01_karagany_mafia.exe"
    1⤵
    • Drops startup file
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Windows\SysWOW64\wbem\wmic.exe
      "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2908
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CabF356.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarF4B0.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-4177215427-74451935-3209572229-1000\KRAB-DECRYPT.txt
    Filesize

    7KB

    MD5

    93974ae396a461a524fb6563dc358af1

    SHA1

    dcc5ffda9f4afa3ef80b27d28f44ed3f01b8f496

    SHA256

    beffcc5b252b8417373f2da0a550c25dff4b187b0b23433b756f7188419b79fd

    SHA512

    14d18881cceba8db4ceba4cf1ebf88cc1e0a0beceda263620c965951c4d3e44c776bf99f9cc0bddf88ed65025d7237266a9e78d9612da971c9d5f0acff8fda9f

    Download Submit

  • memory/2256-1-0x0000000000220000-0x0000000000231000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2256-0-0x0000000000220000-0x0000000000231000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2256-2-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2256-862-0x0000000000220000-0x0000000000231000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2256-863-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2256-864-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download