b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8

General
Target

b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe

Filesize

250KB

Completed

19-05-2021 03:49

Score
10/10
MD5

4b4333d034009da5ddbfa105e2ddbce7

SHA1

deeeafb18977a43d9d7b7241d8525f73ec7f1430

SHA256

b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8

Malware Config
Signatures 7

Filter: none

Defense Evasion
Discovery
Persistence
  • GandCrab Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/860-115-0x00000000005A0000-0x00000000005B7000-memory.dmpfamily_gandcrab
  • Gandcrab

    Description

    Gandcrab is a Trojan horse that encrypts files on a computer.

  • Adds Run key to start application
    b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnceb1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdunswxubjd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\kznjni.exe\""b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
  • Enumerates connected drives
    b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\X:b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    File opened (read-only)\??\B:b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    File opened (read-only)\??\G:b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    File opened (read-only)\??\H:b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    File opened (read-only)\??\J:b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    File opened (read-only)\??\M:b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    File opened (read-only)\??\N:b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    File opened (read-only)\??\Q:b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    File opened (read-only)\??\Z:b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    File opened (read-only)\??\E:b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    File opened (read-only)\??\O:b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    File opened (read-only)\??\S:b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    File opened (read-only)\??\W:b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    File opened (read-only)\??\V:b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    File opened (read-only)\??\F:b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    File opened (read-only)\??\K:b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    File opened (read-only)\??\L:b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    File opened (read-only)\??\P:b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    File opened (read-only)\??\R:b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    File opened (read-only)\??\T:b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    File opened (read-only)\??\U:b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    File opened (read-only)\??\A:b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    File opened (read-only)\??\I:b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    File opened (read-only)\??\Y:b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
  • Checks processor information in registry
    b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringb1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifierb1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
  • Suspicious behavior: EnumeratesProcesses
    b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe

    Reported IOCs

    pidprocess
    860b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    860b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    860b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    860b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
  • Suspicious use of WriteProcessMemory
    b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 860 wrote to memory of 1896860b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exenslookup.exe
    PID 860 wrote to memory of 1896860b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exenslookup.exe
    PID 860 wrote to memory of 1896860b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exenslookup.exe
    PID 860 wrote to memory of 1876860b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exenslookup.exe
    PID 860 wrote to memory of 1876860b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exenslookup.exe
    PID 860 wrote to memory of 1876860b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exenslookup.exe
    PID 860 wrote to memory of 1176860b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exenslookup.exe
    PID 860 wrote to memory of 1176860b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exenslookup.exe
    PID 860 wrote to memory of 1176860b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exenslookup.exe
    PID 860 wrote to memory of 2244860b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exenslookup.exe
    PID 860 wrote to memory of 2244860b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exenslookup.exe
    PID 860 wrote to memory of 2244860b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exenslookup.exe
    PID 860 wrote to memory of 2124860b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exenslookup.exe
    PID 860 wrote to memory of 2124860b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exenslookup.exe
    PID 860 wrote to memory of 2124860b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exenslookup.exe
    PID 860 wrote to memory of 2864860b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exenslookup.exe
    PID 860 wrote to memory of 2864860b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exenslookup.exe
    PID 860 wrote to memory of 2864860b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exenslookup.exe
Processes 7
  • C:\Users\Admin\AppData\Local\Temp\b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
    "C:\Users\Admin\AppData\Local\Temp\b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe"
    Adds Run key to start application
    Enumerates connected drives
    Checks processor information in registry
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:860
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup carder.bit ns1.wowservers.ru
      PID:1896
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.wowservers.ru
      PID:1876
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup carder.bit ns2.wowservers.ru
      PID:1176
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.wowservers.ru
      PID:2244
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup carder.bit ns1.wowservers.ru
      PID:2124
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.wowservers.ru
      PID:2864
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • memory/860-114-0x0000000000400000-0x0000000000444000-memory.dmp

                    • memory/860-115-0x00000000005A0000-0x00000000005B7000-memory.dmp

                    • memory/1176-118-0x0000000000000000-mapping.dmp

                    • memory/1876-117-0x0000000000000000-mapping.dmp

                    • memory/1896-116-0x0000000000000000-mapping.dmp

                    • memory/2124-120-0x0000000000000000-mapping.dmp

                    • memory/2244-119-0x0000000000000000-mapping.dmp

                    • memory/2864-121-0x0000000000000000-mapping.dmp