gandcrab | b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea

General

Target

b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
Size

266KB
MD5

8d7f8e4240f451ad0d96b255f4c9dfb6
SHA1

8529fe7c200ce765610b748a966ed204c7ae879e
SHA256

b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea
SHA512

4ab988615473a2ec2da09ace4082359d559326dfcaeee21cc71b553e41d9df961cee3bddce0879089a54cdaea1bce379d99eac4442874ee67a3968deea6f7baf

Score

10^/10

gandcrab backdoor persistence ransomware

Malware Config

Signatures

GandCrab Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3984-116-0x0000000000BE0000-0x0000000000BF6000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\osnicvesjqz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe"	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe

description	ioc	process
File opened (read-only)	\??\J:	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
File opened (read-only)	\??\N:	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
File opened (read-only)	\??\V:	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
File opened (read-only)	\??\X:	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
File opened (read-only)	\??\Y:	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
File opened (read-only)	\??\F:	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
File opened (read-only)	\??\H:	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
File opened (read-only)	\??\K:	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
File opened (read-only)	\??\L:	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
File opened (read-only)	\??\R:	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
File opened (read-only)	\??\T:	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
File opened (read-only)	\??\E:	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
File opened (read-only)	\??\M:	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
File opened (read-only)	\??\W:	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
File opened (read-only)	\??\Z:	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
File opened (read-only)	\??\Q:	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
File opened (read-only)	\??\S:	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
File opened (read-only)	\??\A:	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
File opened (read-only)	\??\B:	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
File opened (read-only)	\??\G:	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
File opened (read-only)	\??\I:	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
File opened (read-only)	\??\O:	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
File opened (read-only)	\??\P:	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
File opened (read-only)	\??\U:	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe

pid	process
3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe

description	pid	process	target process
PID 3984 wrote to memory of 3120	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 3120	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 3120	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 4004	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 4004	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 4004	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 376	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 376	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 376	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 2356	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 2356	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 2356	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 1820	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 1820	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 1820	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 412	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 412	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 412	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 3752	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 3752	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 3752	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 3616	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 3616	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 3616	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 2188	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 2188	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 2188	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 3972	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 3972	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 3972	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 1208	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 1208	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 1208	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 1556	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 1556	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 1556	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 3880	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 3880	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 3880	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 2724	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 2724	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 2724	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 2632	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 2632	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 2632	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 3360	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 3360	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 3360	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 2208	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 2208	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 2208	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 3560	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 3560	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 3560	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 1108	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 1108	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 1108	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 1796	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 1796	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 1796	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 64	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 64	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 64	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe
PID 3984 wrote to memory of 1964	3984	b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe	nslookup.exe

C:\Users\Admin\AppData\Local\Temp\b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe
"C:\Users\Admin\AppData\Local\Temp\b7680a5071367e5e4f8412bc5cdc3cb82eaa0aaa03b4b08f0908069ed86de4ea.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns1.virmach.ru
2⤵
PID:3120

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns1.virmach.ru
2⤵
PID:4004

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns2.virmach.ru
2⤵
PID:376

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns2.virmach.ru
2⤵
PID:2356

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns2.virmach.ru
2⤵
PID:1820

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns1.virmach.ru
2⤵
PID:412

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns1.virmach.ru
2⤵
PID:3752

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns1.virmach.ru
2⤵
PID:3616

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns2.virmach.ru
2⤵
PID:2188

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns2.virmach.ru
2⤵
PID:3972

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns2.virmach.ru
2⤵
PID:1208

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns1.virmach.ru
2⤵
PID:1556

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns1.virmach.ru
2⤵
PID:3880

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns1.virmach.ru
2⤵
PID:2724

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns2.virmach.ru
2⤵
PID:2632

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns2.virmach.ru
2⤵
PID:3360

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns2.virmach.ru
2⤵
PID:2208

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns1.virmach.ru
2⤵
PID:3560

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns1.virmach.ru
2⤵
PID:1108

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns1.virmach.ru
2⤵
PID:1796

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns2.virmach.ru
2⤵
PID:64

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns2.virmach.ru
2⤵
PID:1964

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns2.virmach.ru
2⤵
PID:2980

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns1.virmach.ru
2⤵
PID:3588

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns1.virmach.ru
2⤵
PID:3452

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns1.virmach.ru
2⤵
PID:3596

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns2.virmach.ru
2⤵
PID:2132

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns2.virmach.ru
2⤵
PID:2116

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns2.virmach.ru
2⤵
PID:1312

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns1.virmach.ru
2⤵
PID:3872

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns1.virmach.ru
2⤵
PID:2220

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns1.virmach.ru
2⤵
PID:1004

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns2.virmach.ru
2⤵
PID:1624

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns2.virmach.ru
2⤵
PID:3700

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns2.virmach.ru
2⤵
PID:1516

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns1.virmach.ru
2⤵
PID:3112

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns1.virmach.ru
2⤵
PID:3992

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns1.virmach.ru
2⤵
PID:1000

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns2.virmach.ru
2⤵
PID:2492

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns2.virmach.ru
2⤵
PID:3812

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns2.virmach.ru
2⤵
PID:1968

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns1.virmach.ru
2⤵
PID:200

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns1.virmach.ru
2⤵
PID:784

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns1.virmach.ru
2⤵
PID:1896

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns2.virmach.ru
2⤵
PID:2268

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns2.virmach.ru
2⤵
PID:3224

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns2.virmach.ru
2⤵
PID:1112

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns1.virmach.ru
2⤵
PID:2360

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns1.virmach.ru
2⤵
PID:2244

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns1.virmach.ru
2⤵
PID:2720

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns2.virmach.ru
2⤵
PID:3564

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns2.virmach.ru
2⤵
PID:2668

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns2.virmach.ru
2⤵
PID:2700

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns1.virmach.ru
2⤵
PID:2628

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns1.virmach.ru
2⤵
PID:3960

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns1.virmach.ru
2⤵
PID:3548

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns2.virmach.ru
2⤵
PID:1192

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns2.virmach.ru
2⤵
PID:2180

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns2.virmach.ru
2⤵
PID:3028

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns1.virmach.ru
2⤵
PID:536

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns1.virmach.ru
2⤵
PID:2656

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns1.virmach.ru
2⤵
PID:776

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns2.virmach.ru
2⤵
PID:2272

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns2.virmach.ru
2⤵
PID:2192

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns2.virmach.ru
2⤵
PID:468

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns1.virmach.ru
2⤵
PID:996

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns1.virmach.ru
2⤵
PID:1956

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns1.virmach.ru
2⤵
PID:2092

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns2.virmach.ru
2⤵
PID:1232

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns2.virmach.ru
2⤵
PID:3516

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns2.virmach.ru
2⤵
PID:2984

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns1.virmach.ru
2⤵
PID:3724

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns1.virmach.ru
2⤵
PID:676

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns1.virmach.ru
2⤵
PID:2072

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns2.virmach.ru
2⤵
PID:932

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns2.virmach.ru
2⤵
PID:3968

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns2.virmach.ru
2⤵
PID:408

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns1.virmach.ru
2⤵
PID:852

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns1.virmach.ru
2⤵
PID:780

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns1.virmach.ru
2⤵
PID:2992

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns2.virmach.ru
2⤵
PID:2096

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns2.virmach.ru
2⤵
PID:3544

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns2.virmach.ru
2⤵
PID:3048

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns1.virmach.ru
2⤵
PID:4080

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns1.virmach.ru
2⤵
PID:1580

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns1.virmach.ru
2⤵
PID:2440

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns2.virmach.ru
2⤵
PID:1032

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns2.virmach.ru
2⤵
PID:2260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/64-137-0x0000000000000000-mapping.dmp

Download
memory/200-158-0x0000000000000000-mapping.dmp

Download
memory/376-119-0x0000000000000000-mapping.dmp

Download
memory/412-122-0x0000000000000000-mapping.dmp

Download
memory/536-176-0x0000000000000000-mapping.dmp

Download
memory/776-178-0x0000000000000000-mapping.dmp

Download
memory/784-159-0x0000000000000000-mapping.dmp

Download
memory/1000-154-0x0000000000000000-mapping.dmp

Download
memory/1004-148-0x0000000000000000-mapping.dmp

Download
memory/1108-135-0x0000000000000000-mapping.dmp

Download
memory/1112-163-0x0000000000000000-mapping.dmp

Download
memory/1192-173-0x0000000000000000-mapping.dmp

Download
memory/1208-127-0x0000000000000000-mapping.dmp

Download
memory/1312-145-0x0000000000000000-mapping.dmp

Download
memory/1516-151-0x0000000000000000-mapping.dmp

Download
memory/1556-128-0x0000000000000000-mapping.dmp

Download
memory/1624-149-0x0000000000000000-mapping.dmp

Download
memory/1796-136-0x0000000000000000-mapping.dmp

Download
memory/1820-121-0x0000000000000000-mapping.dmp

Download
memory/1896-160-0x0000000000000000-mapping.dmp

Download
memory/1964-138-0x0000000000000000-mapping.dmp

Download
memory/1968-157-0x0000000000000000-mapping.dmp

Download
memory/2116-144-0x0000000000000000-mapping.dmp

Download
memory/2132-143-0x0000000000000000-mapping.dmp

Download
memory/2180-174-0x0000000000000000-mapping.dmp

Download
memory/2188-125-0x0000000000000000-mapping.dmp

Download
memory/2192-180-0x0000000000000000-mapping.dmp

Download
memory/2208-133-0x0000000000000000-mapping.dmp

Download
memory/2220-147-0x0000000000000000-mapping.dmp

Download
memory/2244-165-0x0000000000000000-mapping.dmp

Download
memory/2268-161-0x0000000000000000-mapping.dmp

Download
memory/2272-179-0x0000000000000000-mapping.dmp

Download
memory/2356-120-0x0000000000000000-mapping.dmp

Download
memory/2360-164-0x0000000000000000-mapping.dmp

Download
memory/2492-155-0x0000000000000000-mapping.dmp

Download
memory/2628-170-0x0000000000000000-mapping.dmp

Download
memory/2632-131-0x0000000000000000-mapping.dmp

Download
memory/2656-177-0x0000000000000000-mapping.dmp

Download
memory/2668-168-0x0000000000000000-mapping.dmp

Download
memory/2700-169-0x0000000000000000-mapping.dmp

Download
memory/2720-166-0x0000000000000000-mapping.dmp

Download
memory/2724-130-0x0000000000000000-mapping.dmp

Download
memory/2980-139-0x0000000000000000-mapping.dmp

Download
memory/3028-175-0x0000000000000000-mapping.dmp

Download
memory/3112-152-0x0000000000000000-mapping.dmp

Download
memory/3120-117-0x0000000000000000-mapping.dmp

Download
memory/3224-162-0x0000000000000000-mapping.dmp

Download
memory/3360-132-0x0000000000000000-mapping.dmp

Download
memory/3452-141-0x0000000000000000-mapping.dmp

Download
memory/3548-172-0x0000000000000000-mapping.dmp

Download
memory/3560-134-0x0000000000000000-mapping.dmp

Download
memory/3564-167-0x0000000000000000-mapping.dmp

Download
memory/3588-140-0x0000000000000000-mapping.dmp

Download
memory/3596-142-0x0000000000000000-mapping.dmp

Download
memory/3616-124-0x0000000000000000-mapping.dmp

Download
memory/3700-150-0x0000000000000000-mapping.dmp

Download
memory/3752-123-0x0000000000000000-mapping.dmp

Download
memory/3812-156-0x0000000000000000-mapping.dmp

Download
memory/3872-146-0x0000000000000000-mapping.dmp

Download
memory/3880-129-0x0000000000000000-mapping.dmp

Download
memory/3960-171-0x0000000000000000-mapping.dmp

Download
memory/3972-126-0x0000000000000000-mapping.dmp

Download
memory/3984-115-0x0000000000400000-0x000000000074C000-memory.dmp

Filesize
3.3MB

Download
memory/3984-114-0x00000000001E0000-0x00000000001F9000-memory.dmp

Filesize
100KB

Download
memory/3984-116-0x0000000000BE0000-0x0000000000BF6000-memory.dmp

Filesize
88KB

Download
memory/3992-153-0x0000000000000000-mapping.dmp

Download
memory/4004-118-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads