Analysis
-
max time kernel
93s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 11:04
Behavioral task
behavioral1
Sample
2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe
Resource
win10v2004-20240508-en
Errors
General
-
Target
2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe
-
Size
97KB
-
MD5
bd7ee23b22fb3423107a0df21e5ce168
-
SHA1
7ebb5d065468d4f977d51dc0b981dce0c2e1424b
-
SHA256
506c50d25574a836a380c4cf9371282554f9636c9ad37e1c3456390487af417c
-
SHA512
5e0092f6bc4321a97a97fe5f3cdbb0a53ea0d9161b03e6143cbcc3a12b5796c03e50c1bb6e8d1cccc7b3694c6f0024dd7f9c707c20f4e5597782113c1bf0a6fe
-
SSDEEP
1536:3ZZZZZZZZZZZZpXzzzzzzzzzzzzV9rXounV98hbHnAlMqqU+2bbbAV2/S2LNmHkf:/BounVyFHkMqqDL2/LgHkctc
Malware Config
Signatures
-
GandCrab payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2356-0-0x000000000F430000-0x000000000F44B000-memory.dmp family_gandcrab behavioral1/memory/2356-4-0x000000000F430000-0x000000000F44B000-memory.dmp family_gandcrab behavioral1/memory/808-5-0x000000000F430000-0x000000000F44B000-memory.dmp family_gandcrab behavioral1/memory/2104-6-0x000000000F430000-0x000000000F44B000-memory.dmp family_gandcrab behavioral1/memory/2356-7-0x000000000F430000-0x000000000F44B000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Processes:
resource yara_rule behavioral1/memory/2356-0-0x000000000F430000-0x000000000F44B000-memory.dmp upx behavioral1/memory/2356-4-0x000000000F430000-0x000000000F44B000-memory.dmp upx behavioral1/memory/808-5-0x000000000F430000-0x000000000F44B000-memory.dmp upx behavioral1/memory/2104-6-0x000000000F430000-0x000000000F44B000-memory.dmp upx behavioral1/memory/2356-7-0x000000000F430000-0x000000000F44B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kigfymjjwbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe" 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exedescription ioc process File opened (read-only) \??\S: 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe File opened (read-only) \??\W: 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe File opened (read-only) \??\Y: 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe File opened (read-only) \??\H: 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe File opened (read-only) \??\P: 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe File opened (read-only) \??\O: 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe File opened (read-only) \??\Q: 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe File opened (read-only) \??\Z: 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe File opened (read-only) \??\I: 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe File opened (read-only) \??\K: 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe File opened (read-only) \??\L: 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe File opened (read-only) \??\M: 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe File opened (read-only) \??\N: 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe File opened (read-only) \??\R: 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe File opened (read-only) \??\U: 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe File opened (read-only) \??\V: 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe File opened (read-only) \??\B: 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe File opened (read-only) \??\J: 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe File opened (read-only) \??\G: 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe File opened (read-only) \??\T: 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe File opened (read-only) \??\X: 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe File opened (read-only) \??\A: 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe File opened (read-only) \??\E: 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe -
Checks processor information in registry 2 TTPs 18 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "233" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exepid process 2356 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe 2356 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe 2356 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe 2356 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 3276 LogonUI.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exedescription pid process target process PID 2356 wrote to memory of 1704 2356 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe nslookup.exe PID 2356 wrote to memory of 1704 2356 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe nslookup.exe PID 2356 wrote to memory of 1704 2356 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe nslookup.exe PID 2356 wrote to memory of 1484 2356 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe nslookup.exe PID 2356 wrote to memory of 1484 2356 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe nslookup.exe PID 2356 wrote to memory of 1484 2356 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe nslookup.exe PID 2356 wrote to memory of 4416 2356 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe nslookup.exe PID 2356 wrote to memory of 4416 2356 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe nslookup.exe PID 2356 wrote to memory of 4416 2356 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe nslookup.exe PID 2356 wrote to memory of 4808 2356 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe nslookup.exe PID 2356 wrote to memory of 4808 2356 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe nslookup.exe PID 2356 wrote to memory of 4808 2356 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe nslookup.exe PID 2356 wrote to memory of 2176 2356 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe nslookup.exe PID 2356 wrote to memory of 2176 2356 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe nslookup.exe PID 2356 wrote to memory of 2176 2356 2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe nslookup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe"1⤵
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe"1⤵
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe"1⤵
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe"1⤵
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-01_bd7ee23b22fb3423107a0df21e5ce168_gandcrab.exe"1⤵
- Checks processor information in registry
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39ae855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/808-5-0x000000000F430000-0x000000000F44B000-memory.dmpFilesize
108KB
-
memory/2104-6-0x000000000F430000-0x000000000F44B000-memory.dmpFilesize
108KB
-
memory/2356-0-0x000000000F430000-0x000000000F44B000-memory.dmpFilesize
108KB
-
memory/2356-4-0x000000000F430000-0x000000000F44B000-memory.dmpFilesize
108KB
-
memory/2356-7-0x000000000F430000-0x000000000F44B000-memory.dmpFilesize
108KB