Analysis
-
max time kernel
100s -
max time network
95s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
30-06-2024 01:13
General
-
Target
2024-06-29_88c33d9670490f003390bd5b00cbc76d_gandcrab.exe
-
Size
240KB
-
MD5
88c33d9670490f003390bd5b00cbc76d
-
SHA1
0563481e0b88924d1f19fbe4f1afec283fe448e6
-
SHA256
0837ea3c5e0a86168ded966aca50add80e1b533b99a00b4a6b5d5f6a497de146
-
SHA512
0faa29d0b2d62a288b47ca5ad735c3c8b2a6c7c6cd5e90bd1f845ac956de3190f6849d61024cb7347411fdd870eea77c7380f44b87ddbe33ff25a039f1a4b2b8
-
SSDEEP
3072:qYHVHd2NwMqqDL2/mr3IdE8we0Avu5r++ygLIaa4jRv9OtNZpHk:qycqqDL6oREzZpE
Score
10/10
Malware Config
Signatures
-
GandCrab payload 6 IoCs
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-29_88c33d9670490f003390bd5b00cbc76d_gandcrab.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-29_88c33d9670490f003390bd5b00cbc76d_gandcrab.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\2024-06-29_88c33d9670490f003390bd5b00cbc76d_gandcrab.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-29_88c33d9670490f003390bd5b00cbc76d_gandcrab.exe"1⤵
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\2024-06-29_88c33d9670490f003390bd5b00cbc76d_gandcrab.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-29_88c33d9670490f003390bd5b00cbc76d_gandcrab.exe"1⤵
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\2024-06-29_88c33d9670490f003390bd5b00cbc76d_gandcrab.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-29_88c33d9670490f003390bd5b00cbc76d_gandcrab.exe"1⤵
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\2024-06-29_88c33d9670490f003390bd5b00cbc76d_gandcrab.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-29_88c33d9670490f003390bd5b00cbc76d_gandcrab.exe"1⤵
- Checks processor information in registry
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1728-9-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1728-10-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2220-0-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2220-5-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2656-4-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/2656-8-0x0000000002510000-0x0000000002520000-memory.dmpFilesize
64KB
-
memory/2656-12-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/2892-11-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2936-13-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB