GandCrab Ransomware | VTI by Score
Try VMRay Analyzer
|
VTI Score
100 / 100
|
|
| VTI Database Version | 2.6 |
| VTI Rule Match Count | 24 |
| VTI Rule Type | Default (PE, ...) |
|
File System | Encrypt content of user files |
|
|
Encrypt the content of multiple user files. This is an indicator for ransomware.
|
|||
|
|
OS | Modify certificate store |
|
|
Add a certificate to the local "gdcb-decrypt.txt" by file.
|
|||
|
Add a certificate to the local "my" gdcb-decrypt.txt list by file.
|
|||
|
Add a certificate to the local "my" certificate list by file.
|
|||
|
Add a certificate to the local "my" revocation list by file.
|
|||
|
Add a certificate to the local "my" certificate trust list by file.
|
|||
|
|
Browser | Read data related to browser cookies |
|
|
Read Cookies for "Mozilla Firefox".
|
|||
|
|
Browser | Read data related to saved browser credentials |
|
|
Read the master key for "Mozilla Firefox".
|
|||
|
|
Anti Analysis | Try to detect virtual machine |
|
|
Readout system information, commonly used to detect VMs via registry. (Value "Identifier" in key "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0").
|
|||
|
|
Browser | Read data related to browsing history |
|
|
Read browsing history and related data, such as bookmarks, for "Mozilla Firefox".
|
|||
|
|
Network | Reputation URL lookup |
|
|
URL "78.155.206.6/curl.php?token=1019" is known as suspicious URL.
|
|||
|
|
Anti Analysis | Dynamic API usage |
|
|
Resolve above average number of APIs.
|
|||
|
|
Process | Create system object |
|
|
Create mutex with name "Global\pc_group=WORKGROUP&ransom_id=dce1bb8bd2ca4def".
|
|||
|
Create mutex with name "firefox browser".
|
|||
|
|
Persistence | Install system startup script or application |
|
|
Add ""C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe"" to windows startup via registry.
|
|||
|
Add "c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\start menu\programs\startup\gdcb-decrypt.txt" to windows startup folder.
|
|||
|
|
Process | Create process with hidden window |
|
|
The process "nslookup gandcrab.bit a.dnspod.com" starts with hidden window.
|
|||
|
The process "C:\Windows\system32\wbem\wmic" starts with hidden window.
|
|||
|
The process "C:\Windows\system32\wbem\wmic.exe" starts with hidden window.
|
|||
|
|
Network | Perform DNS request |
|
|
Resolve host name "a.dnspod.com".
|
|||
|
|
File System | Create many files |
|
|
Create above average number of files.
|
|||
|
|
Network | Check external IP address |
|
|
Check external IP by asking IP info service at "ipv4bot.whatismyipaddress.com/".
|
|||
|
|
Network | Download data |
|
|
URL "ipv4bot.whatismyipaddress.com/".
|
|||
|
URL "78.155.206.6/curl.php?token=1019".
|
|||
|
|
Network | Connect to HTTP server |
|
|
URL "ipv4bot.whatismyipaddress.com/".
|
|||
|
URL "78.155.206.6/curl.php?token=1019".
|
|||
