Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 02:30
Behavioral task
behavioral1
Sample
88c33d9670490f003390bd5b00cbc76d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
88c33d9670490f003390bd5b00cbc76d.exe
Resource
win10v2004-20240226-en
General
-
Target
88c33d9670490f003390bd5b00cbc76d.exe
-
Size
240KB
-
MD5
88c33d9670490f003390bd5b00cbc76d
-
SHA1
0563481e0b88924d1f19fbe4f1afec283fe448e6
-
SHA256
0837ea3c5e0a86168ded966aca50add80e1b533b99a00b4a6b5d5f6a497de146
-
SHA512
0faa29d0b2d62a288b47ca5ad735c3c8b2a6c7c6cd5e90bd1f845ac956de3190f6849d61024cb7347411fdd870eea77c7380f44b87ddbe33ff25a039f1a4b2b8
-
SSDEEP
3072:qYHVHd2NwMqqDL2/mr3IdE8we0Avu5r++ygLIaa4jRv9OtNZpHk:qycqqDL6oREzZpE
Malware Config
Signatures
-
GandCrab payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2240-0-0x0000000000400000-0x000000000043C000-memory.dmp family_gandcrab behavioral2/memory/2240-4-0x0000000000400000-0x000000000043C000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Processes:
resource yara_rule behavioral2/memory/2240-0-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/2240-4-0x0000000000400000-0x000000000043C000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
88c33d9670490f003390bd5b00cbc76d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oezvfrrusyj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\88c33d9670490f003390bd5b00cbc76d.exe" 88c33d9670490f003390bd5b00cbc76d.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
88c33d9670490f003390bd5b00cbc76d.exedescription ioc process File opened (read-only) \??\I: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\J: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\U: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\Z: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\Q: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\B: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\E: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\G: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\H: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\M: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\W: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\N: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\O: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\S: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\T: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\V: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\X: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\Y: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\A: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\K: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\L: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\P: 88c33d9670490f003390bd5b00cbc76d.exe File opened (read-only) \??\R: 88c33d9670490f003390bd5b00cbc76d.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
88c33d9670490f003390bd5b00cbc76d.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 88c33d9670490f003390bd5b00cbc76d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 88c33d9670490f003390bd5b00cbc76d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 88c33d9670490f003390bd5b00cbc76d.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
88c33d9670490f003390bd5b00cbc76d.exepid process 2240 88c33d9670490f003390bd5b00cbc76d.exe 2240 88c33d9670490f003390bd5b00cbc76d.exe 2240 88c33d9670490f003390bd5b00cbc76d.exe 2240 88c33d9670490f003390bd5b00cbc76d.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
88c33d9670490f003390bd5b00cbc76d.exedescription pid process target process PID 2240 wrote to memory of 4508 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 4508 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 4508 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 1188 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 1188 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 1188 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 2432 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 2432 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 2432 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 1888 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 1888 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 1888 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 2524 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 2524 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 2524 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 2312 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 2312 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 2312 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 3112 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 3112 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 3112 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 5012 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 5012 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 5012 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 3772 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 3772 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 3772 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 4916 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 4916 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 4916 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 4736 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 4736 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 4736 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 1972 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 1972 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe PID 2240 wrote to memory of 1972 2240 88c33d9670490f003390bd5b00cbc76d.exe nslookup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\88c33d9670490f003390bd5b00cbc76d.exe"C:\Users\Admin\AppData\Local\Temp\88c33d9670490f003390bd5b00cbc76d.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵