gandcrab | 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437

General

Target

35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
Size

258KB
MD5

865f9e9a157c088e9f0a0c2a9c372e90
SHA1

e893fe8942e7d9eb136fc21ee9800e58dda39851
SHA256

35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437
SHA512

e97968838b7969fd481fb9ba78e079f7d47133f1d15afdaa1890b7c21ace2504f3b43fff7149a42ffa186838fe0112a07d2b1f82fda00490da1010d024d70548

Score

10^/10

gandcrab backdoor persistence ransomware

Malware Config

Signatures

GandCrab Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4036-115-0x00000000001E0000-0x00000000001F6000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kapastjyrow = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe"	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe

description	ioc	process
File opened (read-only)	\??\P:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\X:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\Y:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\E:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\H:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\J:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\K:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\O:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\M:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\N:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\S:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\T:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\V:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\G:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\I:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\L:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\Q:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\W:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\Z:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\A:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\B:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\F:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\R:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
File opened (read-only)	\??\U:	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe

pid	process
4036	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
4036	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
4036	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
4036	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe

description	pid	process	target process
PID 4036 wrote to memory of 2772	4036	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 4036 wrote to memory of 2772	4036	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 4036 wrote to memory of 2772	4036	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 4036 wrote to memory of 3776	4036	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 4036 wrote to memory of 3776	4036	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 4036 wrote to memory of 3776	4036	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 4036 wrote to memory of 3944	4036	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 4036 wrote to memory of 3944	4036	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 4036 wrote to memory of 3944	4036	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 4036 wrote to memory of 2204	4036	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 4036 wrote to memory of 2204	4036	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 4036 wrote to memory of 2204	4036	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 4036 wrote to memory of 652	4036	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 4036 wrote to memory of 652	4036	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 4036 wrote to memory of 652	4036	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 4036 wrote to memory of 1584	4036	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 4036 wrote to memory of 1584	4036	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 4036 wrote to memory of 1584	4036	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 4036 wrote to memory of 2324	4036	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 4036 wrote to memory of 2324	4036	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe
PID 4036 wrote to memory of 2324	4036	35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe	nslookup.exe

C:\Users\Admin\AppData\Local\Temp\35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
"C:\Users\Admin\AppData\Local\Temp\35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns1.virmach.ru
2⤵
PID:2772

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns1.virmach.ru
2⤵
PID:3776

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns2.virmach.ru
2⤵
PID:3944

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns2.virmach.ru
2⤵
PID:2204

C:\Windows\SysWOW64\nslookup.exe
nslookup malwarehunterteam.bit ns2.virmach.ru
2⤵
PID:652

C:\Windows\SysWOW64\nslookup.exe
nslookup gdcb.bit ns1.virmach.ru
2⤵
PID:1584

C:\Windows\SysWOW64\nslookup.exe
nslookup politiaromana.bit ns1.virmach.ru
2⤵
PID:2324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/652-120-0x0000000000000000-mapping.dmp

Download
memory/1584-121-0x0000000000000000-mapping.dmp

Download
memory/2204-119-0x0000000000000000-mapping.dmp

Download
memory/2324-122-0x0000000000000000-mapping.dmp

Download
memory/2772-116-0x0000000000000000-mapping.dmp

Download
memory/3776-117-0x0000000000000000-mapping.dmp

Download
memory/3944-118-0x0000000000000000-mapping.dmp

Download
memory/4036-114-0x0000000000400000-0x00000000007AE000-memory.dmp

Filesize
3.7MB

Download
memory/4036-115-0x00000000001E0000-0x00000000001F6000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads