Analysis
-
max time kernel
158s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
30-06-2024 01:13
General
-
Target
2024-06-29_88c33d9670490f003390bd5b00cbc76d_gandcrab.exe
-
Size
240KB
-
MD5
88c33d9670490f003390bd5b00cbc76d
-
SHA1
0563481e0b88924d1f19fbe4f1afec283fe448e6
-
SHA256
0837ea3c5e0a86168ded966aca50add80e1b533b99a00b4a6b5d5f6a497de146
-
SHA512
0faa29d0b2d62a288b47ca5ad735c3c8b2a6c7c6cd5e90bd1f845ac956de3190f6849d61024cb7347411fdd870eea77c7380f44b87ddbe33ff25a039f1a4b2b8
-
SSDEEP
3072:qYHVHd2NwMqqDL2/mr3IdE8we0Avu5r++ygLIaa4jRv9OtNZpHk:qycqqDL6oREzZpE
Score
10/10
Malware Config
Signatures
-
GandCrab payload 3 IoCs
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 40 IoCs
-
Suspicious use of SendNotifyMessage 40 IoCs
-
Suspicious use of WriteProcessMemory 45 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-29_88c33d9670490f003390bd5b00cbc76d_gandcrab.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-29_88c33d9670490f003390bd5b00cbc76d_gandcrab.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/5032-17-0x0000021B26790000-0x0000021B26791000-memory.dmpFilesize
4KB
-
memory/5032-7-0x0000021B26790000-0x0000021B26791000-memory.dmpFilesize
4KB
-
memory/5032-6-0x0000021B26790000-0x0000021B26791000-memory.dmpFilesize
4KB
-
memory/5032-5-0x0000021B26790000-0x0000021B26791000-memory.dmpFilesize
4KB
-
memory/5032-13-0x0000021B26790000-0x0000021B26791000-memory.dmpFilesize
4KB
-
memory/5032-16-0x0000021B26790000-0x0000021B26791000-memory.dmpFilesize
4KB
-
memory/5032-15-0x0000021B26790000-0x0000021B26791000-memory.dmpFilesize
4KB
-
memory/5032-14-0x0000021B26790000-0x0000021B26791000-memory.dmpFilesize
4KB
-
memory/5032-12-0x0000021B26790000-0x0000021B26791000-memory.dmpFilesize
4KB
-
memory/5032-11-0x0000021B26790000-0x0000021B26791000-memory.dmpFilesize
4KB
-
memory/5068-4-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/5068-0-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/5068-18-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB