gandcrab | 0837ea3c5e0a86168ded966aca50add80e1b533b99a00b4a6b5d5f6a497de146

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88c33d9670490f003390bd5b00cbc76d.exe
Size

240KB
MD5

88c33d9670490f003390bd5b00cbc76d
SHA1

0563481e0b88924d1f19fbe4f1afec283fe448e6
SHA256

0837ea3c5e0a86168ded966aca50add80e1b533b99a00b4a6b5d5f6a497de146
SHA512

0faa29d0b2d62a288b47ca5ad735c3c8b2a6c7c6cd5e90bd1f845ac956de3190f6849d61024cb7347411fdd870eea77c7380f44b87ddbe33ff25a039f1a4b2b8
SSDEEP

3072:qYHVHd2NwMqqDL2/mr3IdE8we0Avu5r++ygLIaa4jRv9OtNZpHk:qycqqDL6oREzZpE

Score

10^/10

gandcrab backdoor persistence ransomware upx

Malware Config

Signatures

GandCrab payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2156-0-0x0000000000400000-0x000000000043C000-memory.dmp	family_gandcrab
behavioral1/memory/2156-4-0x0000000000400000-0x000000000043C000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

behavioral1/memory/2156-0-0x0000000000400000-0x000000000043C000-memory.dmp upx
behavioral1/memory/2156-4-0x0000000000400000-0x000000000043C000-memory.dmp upx

resource	yara_rule
behavioral1/memory/2156-0-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2156-4-0x0000000000400000-0x000000000043C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

88c33d9670490f003390bd5b00cbc76d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\stdnzatyogm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\88c33d9670490f003390bd5b00cbc76d.exe"	88c33d9670490f003390bd5b00cbc76d.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

88c33d9670490f003390bd5b00cbc76d.exe

description	ioc	process
File opened (read-only)	\??\I:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\V:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\W:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\E:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\G:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\H:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\O:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\T:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\U:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\X:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\J:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\K:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\N:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\Q:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\R:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\Y:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\Z:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\A:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\B:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\P:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\L:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\M:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\S:	88c33d9670490f003390bd5b00cbc76d.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

88c33d9670490f003390bd5b00cbc76d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	88c33d9670490f003390bd5b00cbc76d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	88c33d9670490f003390bd5b00cbc76d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	88c33d9670490f003390bd5b00cbc76d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

88c33d9670490f003390bd5b00cbc76d.exe

pid process

2156 88c33d9670490f003390bd5b00cbc76d.exe
2156 88c33d9670490f003390bd5b00cbc76d.exe

pid	process
2156	88c33d9670490f003390bd5b00cbc76d.exe
2156	88c33d9670490f003390bd5b00cbc76d.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

88c33d9670490f003390bd5b00cbc76d.exe

description	pid	process	target process
PID 2156 wrote to memory of 2628	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2628	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2628	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2628	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2732	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2732	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2732	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2732	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2584	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2584	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2584	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2584	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2484	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2484	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2484	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2484	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2920	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2920	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2920	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2920	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 108	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 108	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 108	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 108	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 1664	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 1664	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 1664	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 1664	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 1352	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 1352	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 1352	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 1352	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 764	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 764	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 764	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 764	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 1680	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 1680	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 1680	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 1680	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2004	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2004	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2004	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2004	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2244	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2244	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2244	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2244	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 576	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 576	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 576	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 576	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 1448	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 1448	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 1448	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 1448	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2240	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2240	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2240	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2156 wrote to memory of 2240	2156	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe

C:\Users\Admin\AppData\Local\Temp\88c33d9670490f003390bd5b00cbc76d.exe
"C:\Users\Admin\AppData\Local\Temp\88c33d9670490f003390bd5b00cbc76d.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\nslookup.exe
nslookup nomoreransom.bit dns1.soprodns.ru
2⤵
PID:2628

C:\Windows\SysWOW64\nslookup.exe
nslookup emsisoft.bit dns1.soprodns.ru
2⤵
PID:2732

C:\Windows\SysWOW64\nslookup.exe
nslookup gandcrab.bit dns1.soprodns.ru
2⤵
PID:2584

C:\Windows\SysWOW64\nslookup.exe
nslookup nomoreransom.bit dns1.soprodns.ru
2⤵
PID:2484

C:\Windows\SysWOW64\nslookup.exe
nslookup emsisoft.bit dns1.soprodns.ru
2⤵
PID:2920

C:\Windows\SysWOW64\nslookup.exe
nslookup gandcrab.bit dns1.soprodns.ru
2⤵
PID:108

C:\Windows\SysWOW64\nslookup.exe
nslookup nomoreransom.bit dns1.soprodns.ru
2⤵
PID:1664

C:\Windows\SysWOW64\nslookup.exe
nslookup emsisoft.bit dns1.soprodns.ru
2⤵
PID:1352

C:\Windows\SysWOW64\nslookup.exe
nslookup gandcrab.bit dns1.soprodns.ru
2⤵
PID:764

C:\Windows\SysWOW64\nslookup.exe
nslookup nomoreransom.bit dns1.soprodns.ru
2⤵
PID:1680

C:\Windows\SysWOW64\nslookup.exe
nslookup emsisoft.bit dns1.soprodns.ru
2⤵
PID:2004

C:\Windows\SysWOW64\nslookup.exe
nslookup gandcrab.bit dns1.soprodns.ru
2⤵
PID:2244

C:\Windows\SysWOW64\nslookup.exe
nslookup nomoreransom.bit dns1.soprodns.ru
2⤵
PID:576

C:\Windows\SysWOW64\nslookup.exe
nslookup emsisoft.bit dns1.soprodns.ru
2⤵
PID:1448

C:\Windows\SysWOW64\nslookup.exe
nslookup gandcrab.bit dns1.soprodns.ru
2⤵
PID:2240

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2156-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2156-4-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download