gandcrab | b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8

General

Target

b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
Size

250KB
MD5

4b4333d034009da5ddbfa105e2ddbce7
SHA1

deeeafb18977a43d9d7b7241d8525f73ec7f1430
SHA256

b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8
SHA512

4a3b37265d8b3269337b76f7f72e7b38923fb315bf45d82bc10bfb040c462ee6b76dc8db93369bc85130946190f0cacc5173c40e4d23a45915a1bb2ca018f281

Score

10^/10

gandcrab backdoor persistence ransomware

Malware Config

Signatures

GandCrab Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/860-115-0x00000000005A0000-0x00000000005B7000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdunswxubjd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\kznjni.exe\""	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe

description	ioc	process
File opened (read-only)	\??\X:	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
File opened (read-only)	\??\B:	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
File opened (read-only)	\??\G:	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
File opened (read-only)	\??\H:	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
File opened (read-only)	\??\J:	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
File opened (read-only)	\??\M:	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
File opened (read-only)	\??\N:	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
File opened (read-only)	\??\Q:	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
File opened (read-only)	\??\Z:	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
File opened (read-only)	\??\E:	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
File opened (read-only)	\??\O:	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
File opened (read-only)	\??\S:	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
File opened (read-only)	\??\W:	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
File opened (read-only)	\??\V:	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
File opened (read-only)	\??\F:	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
File opened (read-only)	\??\K:	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
File opened (read-only)	\??\L:	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
File opened (read-only)	\??\P:	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
File opened (read-only)	\??\R:	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
File opened (read-only)	\??\T:	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
File opened (read-only)	\??\U:	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
File opened (read-only)	\??\A:	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
File opened (read-only)	\??\I:	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
File opened (read-only)	\??\Y:	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe

pid	process
860	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
860	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
860	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
860	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe

description	pid	process	target process
PID 860 wrote to memory of 1896	860	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe	nslookup.exe
PID 860 wrote to memory of 1896	860	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe	nslookup.exe
PID 860 wrote to memory of 1896	860	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe	nslookup.exe
PID 860 wrote to memory of 1876	860	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe	nslookup.exe
PID 860 wrote to memory of 1876	860	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe	nslookup.exe
PID 860 wrote to memory of 1876	860	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe	nslookup.exe
PID 860 wrote to memory of 1176	860	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe	nslookup.exe
PID 860 wrote to memory of 1176	860	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe	nslookup.exe
PID 860 wrote to memory of 1176	860	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe	nslookup.exe
PID 860 wrote to memory of 2244	860	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe	nslookup.exe
PID 860 wrote to memory of 2244	860	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe	nslookup.exe
PID 860 wrote to memory of 2244	860	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe	nslookup.exe
PID 860 wrote to memory of 2124	860	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe	nslookup.exe
PID 860 wrote to memory of 2124	860	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe	nslookup.exe
PID 860 wrote to memory of 2124	860	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe	nslookup.exe
PID 860 wrote to memory of 2864	860	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe	nslookup.exe
PID 860 wrote to memory of 2864	860	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe	nslookup.exe
PID 860 wrote to memory of 2864	860	b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe	nslookup.exe

C:\Users\Admin\AppData\Local\Temp\b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
"C:\Users\Admin\AppData\Local\Temp\b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1896

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1876

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1176

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2244

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2124

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/860-114-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/860-115-0x00000000005A0000-0x00000000005B7000-memory.dmp

Filesize
92KB

Download
memory/1176-118-0x0000000000000000-mapping.dmp

Download
memory/1876-117-0x0000000000000000-mapping.dmp

Download
memory/1896-116-0x0000000000000000-mapping.dmp

Download
memory/2124-120-0x0000000000000000-mapping.dmp

Download
memory/2244-119-0x0000000000000000-mapping.dmp

Download
memory/2864-121-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads