CB Response: Watchlist for GrandCrab Ransomware causing errors
search cancel

CB Response: Watchlist for GrandCrab Ransomware causing errors

book

Article ID: 287793

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Watchlist query to identify GandCrab Ransomware fails to load

Environment

  • CB Response Server: All Versions

Cause

Results based on query of the Watchlist has overwhelmed the Console/Server.

Resolution

TauTin has identified queries to assist with the campaign: 
Word Dropperparent_name:winword.exe AND process_name:powershell.exe AND netconn_count:[1 TO *]
PowerShell
Second Stage		(domain:pastebin.com) and process_name:powershell.exe
PowerShell
Second Stage		process_name:powershell.exe AND filemod:ProgramData\*.exe
PowerShell
Downgrade		modload:windows\assembly\nativeimages_v*_32\*\*\system.management.automation.ni.dll and parent_name:powershell.exe AND netconn_count:[1 TO *] -cmdline:windows\\ccmcache*
PowerShell
Downgrade		modload:windows\assembly\nativeimages_v*_32\*\*\system.management.automation.ni.dll and parent_name:powershell.exe  AND childproc_name:csc.exe and -cmdline:windows\\ccmcache*
Powered by Wolken Software