Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 19:50
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe
Resource
win10v2004-20240611-en
General
-
Target
2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe
-
Size
91KB
-
MD5
f013862c115bb83078c68b33aa5d392e
-
SHA1
7acc6e8a7417b7ee51af4b678aec74d0813ad6b6
-
SHA256
3bf57e3d096aa28e1783e698fe1098ebb97fbe3ffae6dfd032df5a987f61c17d
-
SHA512
1fdc5afafa284e52a1db5fcc7fbeeccefbf63526ced7bb02312cfbaeaae3347ae17757d0dc7c68c48d9be20b8b3b8e80fbf58c17fa682ba15f8154f9d820ced7
-
SSDEEP
1536:WGdg6A8xXaHuX39Ev8hGijIa7DdfQZblriWU8nFXOsWjcdS6ItKT0S:JZqCZjIGmrxrJItKT0S
Malware Config
Extracted
F:\KRAB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/565eddf87266000d
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (260) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe -
Drops startup file 2 IoCs
Processes:
2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\KRAB-DECRYPT.txt 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\726607e07266000d41b.lock 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exedescription ioc process File opened (read-only) \??\H: 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened (read-only) \??\K: 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened (read-only) \??\X: 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened (read-only) \??\O: 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened (read-only) \??\Q: 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened (read-only) \??\S: 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened (read-only) \??\T: 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened (read-only) \??\Z: 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened (read-only) \??\A: 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened (read-only) \??\B: 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened (read-only) \??\J: 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened (read-only) \??\L: 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened (read-only) \??\N: 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened (read-only) \??\R: 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened (read-only) \??\U: 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened (read-only) \??\V: 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened (read-only) \??\E: 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened (read-only) \??\G: 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened (read-only) \??\I: 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened (read-only) \??\Y: 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened (read-only) \??\M: 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened (read-only) \??\P: 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened (read-only) \??\W: 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe -
Drops file in Program Files directory 21 IoCs
Processes:
2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exedescription ioc process File opened for modification C:\Program Files\SelectWrite.pptm 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened for modification C:\Program Files\StopJoin.i64 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File created C:\Program Files (x86)\KRAB-DECRYPT.txt 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File created C:\Program Files (x86)\726607e07266000d41b.lock 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened for modification C:\Program Files\CompressGrant.mpg 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File created C:\Program Files\726607e07266000d41b.lock 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened for modification C:\Program Files\PingRevoke.dwfx 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened for modification C:\Program Files\RestartMount.M2V 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened for modification C:\Program Files\SplitDebug.potm 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened for modification C:\Program Files\SuspendApprove.wmf 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened for modification C:\Program Files\UpdateConvert.ttc 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File created C:\Program Files\KRAB-DECRYPT.txt 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened for modification C:\Program Files\GroupRevoke.3gp2 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened for modification C:\Program Files\ShowConnect.xltx 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened for modification C:\Program Files\SuspendCopy.mht 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened for modification C:\Program Files\ConvertFromCheckpoint.wma 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened for modification C:\Program Files\JoinRemove.ppsx 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened for modification C:\Program Files\ProtectWrite.wvx 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened for modification C:\Program Files\RegisterSelect.docm 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened for modification C:\Program Files\ResetExpand.html 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe File opened for modification C:\Program Files\AddNew.xps 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3744 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exepid process 1544 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe 1544 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe 1544 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe 1544 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4884 wmic.exe Token: SeSecurityPrivilege 4884 wmic.exe Token: SeTakeOwnershipPrivilege 4884 wmic.exe Token: SeLoadDriverPrivilege 4884 wmic.exe Token: SeSystemProfilePrivilege 4884 wmic.exe Token: SeSystemtimePrivilege 4884 wmic.exe Token: SeProfSingleProcessPrivilege 4884 wmic.exe Token: SeIncBasePriorityPrivilege 4884 wmic.exe Token: SeCreatePagefilePrivilege 4884 wmic.exe Token: SeBackupPrivilege 4884 wmic.exe Token: SeRestorePrivilege 4884 wmic.exe Token: SeShutdownPrivilege 4884 wmic.exe Token: SeDebugPrivilege 4884 wmic.exe Token: SeSystemEnvironmentPrivilege 4884 wmic.exe Token: SeRemoteShutdownPrivilege 4884 wmic.exe Token: SeUndockPrivilege 4884 wmic.exe Token: SeManageVolumePrivilege 4884 wmic.exe Token: 33 4884 wmic.exe Token: 34 4884 wmic.exe Token: 35 4884 wmic.exe Token: 36 4884 wmic.exe Token: SeIncreaseQuotaPrivilege 4884 wmic.exe Token: SeSecurityPrivilege 4884 wmic.exe Token: SeTakeOwnershipPrivilege 4884 wmic.exe Token: SeLoadDriverPrivilege 4884 wmic.exe Token: SeSystemProfilePrivilege 4884 wmic.exe Token: SeSystemtimePrivilege 4884 wmic.exe Token: SeProfSingleProcessPrivilege 4884 wmic.exe Token: SeIncBasePriorityPrivilege 4884 wmic.exe Token: SeCreatePagefilePrivilege 4884 wmic.exe Token: SeBackupPrivilege 4884 wmic.exe Token: SeRestorePrivilege 4884 wmic.exe Token: SeShutdownPrivilege 4884 wmic.exe Token: SeDebugPrivilege 4884 wmic.exe Token: SeSystemEnvironmentPrivilege 4884 wmic.exe Token: SeRemoteShutdownPrivilege 4884 wmic.exe Token: SeUndockPrivilege 4884 wmic.exe Token: SeManageVolumePrivilege 4884 wmic.exe Token: 33 4884 wmic.exe Token: 34 4884 wmic.exe Token: 35 4884 wmic.exe Token: 36 4884 wmic.exe Token: SeBackupPrivilege 872 vssvc.exe Token: SeRestorePrivilege 872 vssvc.exe Token: SeAuditPrivilege 872 vssvc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.execmd.exedescription pid process target process PID 1544 wrote to memory of 4884 1544 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe wmic.exe PID 1544 wrote to memory of 4884 1544 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe wmic.exe PID 1544 wrote to memory of 4884 1544 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe wmic.exe PID 1544 wrote to memory of 2248 1544 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe cmd.exe PID 1544 wrote to memory of 2248 1544 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe cmd.exe PID 1544 wrote to memory of 2248 1544 2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe cmd.exe PID 2248 wrote to memory of 3744 2248 cmd.exe timeout.exe PID 2248 wrote to memory of 3744 2248 cmd.exe timeout.exe PID 2248 wrote to memory of 3744 2248 cmd.exe timeout.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe"1⤵
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout -c 5 & del "C:\Users\Admin\AppData\Local\Temp\2024-06-19_f013862c115bb83078c68b33aa5d392e_gandcrab_karagany.exe" /f /q2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout -c 53⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
F:\KRAB-DECRYPT.txtFilesize
7KB
MD574675f26024b6c1b6d6c46cdf8c2ed12
SHA1c3467bd1a4d8ffc0c58294f880916d8ce8b27e27
SHA256ede1eb7ace44bbecc7525c66f68d59952a97c43b5572b79db7d96fedcc210bec
SHA512f2aa279ad34f6dc7a0f0ce990070d29ff8c7b2ab0d00a5c2ae1a0043b95182e6855b06531ed1be032badba49f57186e0f1074e9895b1930e266d642c6c321f6c