gandcrab | 0837ea3c5e0a86168ded966aca50add80e1b533b99a00b4a6b5d5f6a497de146

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88c33d9670490f003390bd5b00cbc76d.exe
Size

240KB
MD5

88c33d9670490f003390bd5b00cbc76d
SHA1

0563481e0b88924d1f19fbe4f1afec283fe448e6
SHA256

0837ea3c5e0a86168ded966aca50add80e1b533b99a00b4a6b5d5f6a497de146
SHA512

0faa29d0b2d62a288b47ca5ad735c3c8b2a6c7c6cd5e90bd1f845ac956de3190f6849d61024cb7347411fdd870eea77c7380f44b87ddbe33ff25a039f1a4b2b8
SSDEEP

3072:qYHVHd2NwMqqDL2/mr3IdE8we0Avu5r++ygLIaa4jRv9OtNZpHk:qycqqDL6oREzZpE

Score

10^/10

gandcrab backdoor persistence ransomware upx

Malware Config

Signatures

GandCrab payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2240-0-0x0000000000400000-0x000000000043C000-memory.dmp	family_gandcrab
behavioral2/memory/2240-4-0x0000000000400000-0x000000000043C000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

behavioral2/memory/2240-0-0x0000000000400000-0x000000000043C000-memory.dmp upx
behavioral2/memory/2240-4-0x0000000000400000-0x000000000043C000-memory.dmp upx

resource	yara_rule
behavioral2/memory/2240-0-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/2240-4-0x0000000000400000-0x000000000043C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

88c33d9670490f003390bd5b00cbc76d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oezvfrrusyj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\88c33d9670490f003390bd5b00cbc76d.exe"	88c33d9670490f003390bd5b00cbc76d.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

88c33d9670490f003390bd5b00cbc76d.exe

description	ioc	process
File opened (read-only)	\??\I:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\J:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\U:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\Z:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\Q:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\B:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\E:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\G:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\H:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\M:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\W:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\N:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\O:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\S:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\T:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\V:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\X:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\Y:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\A:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\K:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\L:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\P:	88c33d9670490f003390bd5b00cbc76d.exe
File opened (read-only)	\??\R:	88c33d9670490f003390bd5b00cbc76d.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

88c33d9670490f003390bd5b00cbc76d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	88c33d9670490f003390bd5b00cbc76d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	88c33d9670490f003390bd5b00cbc76d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	88c33d9670490f003390bd5b00cbc76d.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

88c33d9670490f003390bd5b00cbc76d.exe

pid process

2240 88c33d9670490f003390bd5b00cbc76d.exe
2240 88c33d9670490f003390bd5b00cbc76d.exe
2240 88c33d9670490f003390bd5b00cbc76d.exe
2240 88c33d9670490f003390bd5b00cbc76d.exe

pid	process
2240	88c33d9670490f003390bd5b00cbc76d.exe
2240	88c33d9670490f003390bd5b00cbc76d.exe
2240	88c33d9670490f003390bd5b00cbc76d.exe
2240	88c33d9670490f003390bd5b00cbc76d.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

88c33d9670490f003390bd5b00cbc76d.exe

description	pid	process	target process
PID 2240 wrote to memory of 4508	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 4508	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 4508	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 1188	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 1188	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 1188	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 2432	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 2432	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 2432	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 1888	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 1888	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 1888	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 2524	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 2524	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 2524	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 2312	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 2312	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 2312	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 3112	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 3112	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 3112	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 5012	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 5012	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 5012	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 3772	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 3772	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 3772	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 4916	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 4916	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 4916	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 4736	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 4736	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 4736	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 1972	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 1972	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe
PID 2240 wrote to memory of 1972	2240	88c33d9670490f003390bd5b00cbc76d.exe	nslookup.exe

C:\Users\Admin\AppData\Local\Temp\88c33d9670490f003390bd5b00cbc76d.exe
"C:\Users\Admin\AppData\Local\Temp\88c33d9670490f003390bd5b00cbc76d.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\nslookup.exe
nslookup nomoreransom.bit dns1.soprodns.ru
2⤵
PID:4508

C:\Windows\SysWOW64\nslookup.exe
nslookup emsisoft.bit dns1.soprodns.ru
2⤵
PID:1188

C:\Windows\SysWOW64\nslookup.exe
nslookup gandcrab.bit dns1.soprodns.ru
2⤵
PID:2432

C:\Windows\SysWOW64\nslookup.exe
nslookup nomoreransom.bit dns1.soprodns.ru
2⤵
PID:1888

C:\Windows\SysWOW64\nslookup.exe
nslookup emsisoft.bit dns1.soprodns.ru
2⤵
PID:2524

C:\Windows\SysWOW64\nslookup.exe
nslookup gandcrab.bit dns1.soprodns.ru
2⤵
PID:2312

C:\Windows\SysWOW64\nslookup.exe
nslookup nomoreransom.bit dns1.soprodns.ru
2⤵
PID:3112

C:\Windows\SysWOW64\nslookup.exe
nslookup emsisoft.bit dns1.soprodns.ru
2⤵
PID:5012

C:\Windows\SysWOW64\nslookup.exe
nslookup gandcrab.bit dns1.soprodns.ru
2⤵
PID:3772

C:\Windows\SysWOW64\nslookup.exe
nslookup nomoreransom.bit dns1.soprodns.ru
2⤵
PID:4916

C:\Windows\SysWOW64\nslookup.exe
nslookup emsisoft.bit dns1.soprodns.ru
2⤵
PID:4736

C:\Windows\SysWOW64\nslookup.exe
nslookup gandcrab.bit dns1.soprodns.ru
2⤵
PID:1972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:2292

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2240-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2240-4-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download