Analysis
-
max time kernel
52s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-06-2024 10:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
program.exe
Resource
win7-20240419-en
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
program.exe
Resource
win10v2004-20240508-en
4 signatures
150 seconds
General
-
Target
program.exe
-
Size
328KB
-
MD5
a1d3ac1589572aaf97cc478769910de0
-
SHA1
3f8532f91b62ce3c3b97cddfec540da9ff041273
-
SHA256
a8fce1cf68294753a4bac38231257f3c7860a080719af8dc8ac5943458059c16
-
SHA512
d80ab2500145dfc74f16321d4fbe25801effe10a2558b7e68138f833033a5434714878f134cf9214ce2485b5b0e8ba5b1c29cfb0cfcf074348a27aa2ac0e0e81
-
SSDEEP
6144:dmWHLy61/yP85HZZptiYrVGrnCZ0g5ksjYYGHh4rCrrRrrFrrPrr5rrrgrrr8rr+:dmAu61/RHTWY5+nCZ0NIYYbrCrrRrrF2
Score
10/10
Malware Config
Signatures
-
GandCrab payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4264-3-0x00000000067D0000-0x00000000067E7000-memory.dmp family_gandcrab behavioral2/memory/4264-2-0x0000000000400000-0x0000000004B70000-memory.dmp family_gandcrab behavioral2/memory/4264-7-0x0000000000400000-0x000000000042C000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1684 4264 WerFault.exe program.exe -
Suspicious use of SetWindowsHookAW 64 IoCs
Processes:
program.exepid process 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe 4264 program.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\program.exe"C:\Users\Admin\AppData\Local\Temp\program.exe"1⤵
- Suspicious use of SetWindowsHookAW
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 4762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4264 -ip 42641⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4264-1-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/4264-0-0x0000000006780000-0x000000000679B000-memory.dmpFilesize
108KB
-
memory/4264-3-0x00000000067D0000-0x00000000067E7000-memory.dmpFilesize
92KB
-
memory/4264-2-0x0000000000400000-0x0000000004B70000-memory.dmpFilesize
71.4MB
-
memory/4264-7-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB