Analysis
-
max time kernel
139s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
18-05-2021 13:11
Static task
static1
Behavioral task
behavioral1
Sample
b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
Resource
win10v20210408
General
-
Target
b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe
-
Size
250KB
-
MD5
4b4333d034009da5ddbfa105e2ddbce7
-
SHA1
deeeafb18977a43d9d7b7241d8525f73ec7f1430
-
SHA256
b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8
-
SHA512
4a3b37265d8b3269337b76f7f72e7b38923fb315bf45d82bc10bfb040c462ee6b76dc8db93369bc85130946190f0cacc5173c40e4d23a45915a1bb2ca018f281
Malware Config
Signatures
-
GandCrab Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/860-115-0x00000000005A0000-0x00000000005B7000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdunswxubjd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\kznjni.exe\"" b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exedescription ioc process File opened (read-only) \??\X: b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe File opened (read-only) \??\B: b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe File opened (read-only) \??\G: b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe File opened (read-only) \??\H: b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe File opened (read-only) \??\J: b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe File opened (read-only) \??\M: b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe File opened (read-only) \??\N: b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe File opened (read-only) \??\Q: b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe File opened (read-only) \??\Z: b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe File opened (read-only) \??\E: b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe File opened (read-only) \??\O: b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe File opened (read-only) \??\S: b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe File opened (read-only) \??\W: b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe File opened (read-only) \??\V: b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe File opened (read-only) \??\F: b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe File opened (read-only) \??\K: b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe File opened (read-only) \??\L: b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe File opened (read-only) \??\P: b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe File opened (read-only) \??\R: b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe File opened (read-only) \??\T: b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe File opened (read-only) \??\U: b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe File opened (read-only) \??\A: b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe File opened (read-only) \??\I: b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe File opened (read-only) \??\Y: b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exepid process 860 b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe 860 b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe 860 b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe 860 b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exedescription pid process target process PID 860 wrote to memory of 1896 860 b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe nslookup.exe PID 860 wrote to memory of 1896 860 b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe nslookup.exe PID 860 wrote to memory of 1896 860 b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe nslookup.exe PID 860 wrote to memory of 1876 860 b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe nslookup.exe PID 860 wrote to memory of 1876 860 b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe nslookup.exe PID 860 wrote to memory of 1876 860 b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe nslookup.exe PID 860 wrote to memory of 1176 860 b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe nslookup.exe PID 860 wrote to memory of 1176 860 b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe nslookup.exe PID 860 wrote to memory of 1176 860 b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe nslookup.exe PID 860 wrote to memory of 2244 860 b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe nslookup.exe PID 860 wrote to memory of 2244 860 b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe nslookup.exe PID 860 wrote to memory of 2244 860 b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe nslookup.exe PID 860 wrote to memory of 2124 860 b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe nslookup.exe PID 860 wrote to memory of 2124 860 b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe nslookup.exe PID 860 wrote to memory of 2124 860 b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe nslookup.exe PID 860 wrote to memory of 2864 860 b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe nslookup.exe PID 860 wrote to memory of 2864 860 b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe nslookup.exe PID 860 wrote to memory of 2864 860 b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe nslookup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe"C:\Users\Admin\AppData\Local\Temp\b1002ce2318963d5e17986c41bbfdb4486f6997bb7cd7903789619398a286ad8.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/860-114-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/860-115-0x00000000005A0000-0x00000000005B7000-memory.dmpFilesize
92KB
-
memory/1176-118-0x0000000000000000-mapping.dmp
-
memory/1876-117-0x0000000000000000-mapping.dmp
-
memory/1896-116-0x0000000000000000-mapping.dmp
-
memory/2124-120-0x0000000000000000-mapping.dmp
-
memory/2244-119-0x0000000000000000-mapping.dmp
-
memory/2864-121-0x0000000000000000-mapping.dmp