gandcrab | 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437

General

Target

35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
Size

258KB
MD5

865f9e9a157c088e9f0a0c2a9c372e90
SHA1

e893fe8942e7d9eb136fc21ee9800e58dda39851
SHA256

35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437
SHA512

e97968838b7969fd481fb9ba78e079f7d47133f1d15afdaa1890b7c21ace2504f3b43fff7149a42ffa186838fe0112a07d2b1f82fda00490da1010d024d70548

Score

10^/10

gandcrab backdoor persistence ransomware

Malware Config

Signatures

GandCrab Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1700-62-0x00000000003C0000-0x00000000003D6000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gdannlphvae = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe"	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe

description	ioc	process
File opened (read-only)	\??\B:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\F:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\H:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\M:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\N:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\O:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\P:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\A:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\X:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\I:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\R:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\S:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\Z:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\E:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\Q:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\U:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\V:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\K:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\J:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\L:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\T:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\W:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\Y:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\G:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe

pid	process
1700	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
1700	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe

description	pid	process	target process
PID 1700 wrote to memory of 1788	1700	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 1700 wrote to memory of 1788	1700	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 1700 wrote to memory of 1788	1700	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 1700 wrote to memory of 1788	1700	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 1700 wrote to memory of 600	1700	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 1700 wrote to memory of 600	1700	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 1700 wrote to memory of 600	1700	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 1700 wrote to memory of 600	1700	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 1700 wrote to memory of 804	1700	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 1700 wrote to memory of 804	1700	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 1700 wrote to memory of 804	1700	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 1700 wrote to memory of 804	1700	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 1700 wrote to memory of 1428	1700	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 1700 wrote to memory of 1428	1700	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 1700 wrote to memory of 1428	1700	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 1700 wrote to memory of 1428	1700	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 1700 wrote to memory of 1748	1700	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 1700 wrote to memory of 1748	1700	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 1700 wrote to memory of 1748	1700	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 1700 wrote to memory of 1748	1700	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe

C:\Users\Admin\AppData\Local\Temp\35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
"C:\Users\Admin\AppData\Local\Temp\35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns1.virmach.ru
2⤵
PID:1788

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns1.virmach.ru
2⤵
PID:600

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns2.virmach.ru
2⤵
PID:804

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns2.virmach.ru
2⤵
PID:1428

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns2.virmach.ru
2⤵
PID:1748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/600-64-0x0000000000000000-mapping.dmp

Download
memory/804-65-0x0000000000000000-mapping.dmp

Download
memory/1428-66-0x0000000000000000-mapping.dmp

Download
memory/1700-60-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download
memory/1700-61-0x0000000000400000-0x00000000007AE000-memory.dmp

Filesize
3.7MB

Download
memory/1700-62-0x00000000003C0000-0x00000000003D6000-memory.dmp

Filesize
88KB

Download
memory/1748-67-0x0000000000000000-mapping.dmp

Download
memory/1788-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads