Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 02:30
Behavioral task
behavioral1
Sample
88c33d9670490f003390bd5b00cbc76d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
88c33d9670490f003390bd5b00cbc76d.exe
Resource
win10v2004-20240226-en
General
-
Target
88c33d9670490f003390bd5b00cbc76d.exe
-
Size
240KB
-
MD5
88c33d9670490f003390bd5b00cbc76d
-
SHA1
0563481e0b88924d1f19fbe4f1afec283fe448e6
-
SHA256
0837ea3c5e0a86168ded966aca50add80e1b533b99a00b4a6b5d5f6a497de146
-
SHA512
0faa29d0b2d62a288b47ca5ad735c3c8b2a6c7c6cd5e90bd1f845ac956de3190f6849d61024cb7347411fdd870eea77c7380f44b87ddbe33ff25a039f1a4b2b8
-
SSDEEP
3072:qYHVHd2NwMqqDL2/mr3IdE8we0Avu5r++ygLIaa4jRv9OtNZpHk:qycqqDL6oREzZpE
Malware Config
Signatures
-
GandCrab payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2156-0-0x0000000000400000-0x000000000043C000-memory.dmp family_gandcrab behavioral1/memory/2156-4-0x0000000000400000-0x000000000043C000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Processes:
resource yara_rule behavioral1/memory/2156-0-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2156-4-0x0000000000400000-0x000000000043C000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
88c33d9670490f003390bd5b00cbc76d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\stdnzatyogm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\88c33d9670490f003390bd5b00cbc76d.exe" 88c33d9670490f003390bd5b00cbc76d.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
88c33d9670490f003390bd5b00cbc76d.exedescription ioc process File opened (read-only) \??\I: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\V: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\W: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\E: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\G: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\H: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\O: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\T: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\U: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\X: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\J: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\K: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\N: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\Q: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\R: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\Y: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\Z: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\A: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\B: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\P: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\L: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\M: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\S: 88c33d9670490f003390bd5b00cbc76d.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
88c33d9670490f003390bd5b00cbc76d.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 88c33d9670490f003390bd5b00cbc76d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 88c33d9670490f003390bd5b00cbc76d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 88c33d9670490f003390bd5b00cbc76d.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
88c33d9670490f003390bd5b00cbc76d.exepid process 2156 88c33d9670490f003390bd5b00cbc76d.exe 2156 88c33d9670490f003390bd5b00cbc76d.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
88c33d9670490f003390bd5b00cbc76d.exedescription pid process target process PID 2156 wrote to memory of 2628 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2628 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2628 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2628 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2732 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2732 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2732 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2732 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2584 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2584 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2584 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2584 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2484 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2484 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2484 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2484 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2920 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2920 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2920 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2920 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 108 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 108 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 108 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 108 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 1664 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 1664 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 1664 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 1664 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 1352 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 1352 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 1352 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 1352 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 764 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 764 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 764 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 764 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 1680 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 1680 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 1680 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 1680 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2004 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2004 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2004 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2004 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2244 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2244 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2244 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2244 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 576 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 576 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 576 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 576 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 1448 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 1448 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 1448 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 1448 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2240 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2240 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2240 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2156 wrote to memory of 2240 2156 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\88c33d9670490f003390bd5b00cbc76d.exe"C:\Users\Admin\AppData\Local\Temp\88c33d9670490f003390bd5b00cbc76d.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵