Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
18-05-2021 13:00
Static task
static1
Behavioral task
behavioral1
Sample
35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
Resource
win10v20210408
General
-
Target
35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe
-
Size
258KB
-
MD5
865f9e9a157c088e9f0a0c2a9c372e90
-
SHA1
e893fe8942e7d9eb136fc21ee9800e58dda39851
-
SHA256
35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437
-
SHA512
e97968838b7969fd481fb9ba78e079f7d47133f1d15afdaa1890b7c21ace2504f3b43fff7149a42ffa186838fe0112a07d2b1f82fda00490da1010d024d70548
Malware Config
Signatures
-
GandCrab Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4036-115-0x00000000001E0000-0x00000000001F6000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kapastjyrow = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe" 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exedescription ioc process File opened (read-only) \??\P: 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe File opened (read-only) \??\X: 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe File opened (read-only) \??\Y: 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe File opened (read-only) \??\E: 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe File opened (read-only) \??\H: 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe File opened (read-only) \??\J: 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe File opened (read-only) \??\K: 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe File opened (read-only) \??\O: 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe File opened (read-only) \??\M: 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe File opened (read-only) \??\N: 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe File opened (read-only) \??\S: 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe File opened (read-only) \??\T: 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe File opened (read-only) \??\V: 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe File opened (read-only) \??\G: 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe File opened (read-only) \??\I: 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe File opened (read-only) \??\L: 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe File opened (read-only) \??\Q: 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe File opened (read-only) \??\W: 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe File opened (read-only) \??\Z: 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe File opened (read-only) \??\A: 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe File opened (read-only) \??\B: 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe File opened (read-only) \??\F: 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe File opened (read-only) \??\R: 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe File opened (read-only) \??\U: 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exepid process 4036 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe 4036 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe 4036 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe 4036 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exedescription pid process target process PID 4036 wrote to memory of 2772 4036 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe nslookup.exe PID 4036 wrote to memory of 2772 4036 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe nslookup.exe PID 4036 wrote to memory of 2772 4036 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe nslookup.exe PID 4036 wrote to memory of 3776 4036 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe nslookup.exe PID 4036 wrote to memory of 3776 4036 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe nslookup.exe PID 4036 wrote to memory of 3776 4036 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe nslookup.exe PID 4036 wrote to memory of 3944 4036 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe nslookup.exe PID 4036 wrote to memory of 3944 4036 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe nslookup.exe PID 4036 wrote to memory of 3944 4036 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe nslookup.exe PID 4036 wrote to memory of 2204 4036 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe nslookup.exe PID 4036 wrote to memory of 2204 4036 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe nslookup.exe PID 4036 wrote to memory of 2204 4036 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe nslookup.exe PID 4036 wrote to memory of 652 4036 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe nslookup.exe PID 4036 wrote to memory of 652 4036 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe nslookup.exe PID 4036 wrote to memory of 652 4036 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe nslookup.exe PID 4036 wrote to memory of 1584 4036 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe nslookup.exe PID 4036 wrote to memory of 1584 4036 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe nslookup.exe PID 4036 wrote to memory of 1584 4036 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe nslookup.exe PID 4036 wrote to memory of 2324 4036 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe nslookup.exe PID 4036 wrote to memory of 2324 4036 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe nslookup.exe PID 4036 wrote to memory of 2324 4036 35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe nslookup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe"C:\Users\Admin\AppData\Local\Temp\35f91fc5eef67c4fcd843c9d2351f770d09c5ec4b4efc10ded35de84cfcb7437.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup politiaromana.bit ns1.virmach.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup malwarehunterteam.bit ns1.virmach.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gdcb.bit ns2.virmach.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup politiaromana.bit ns2.virmach.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup malwarehunterteam.bit ns2.virmach.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gdcb.bit ns1.virmach.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup politiaromana.bit ns1.virmach.ru2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/652-120-0x0000000000000000-mapping.dmp
-
memory/1584-121-0x0000000000000000-mapping.dmp
-
memory/2204-119-0x0000000000000000-mapping.dmp
-
memory/2324-122-0x0000000000000000-mapping.dmp
-
memory/2772-116-0x0000000000000000-mapping.dmp
-
memory/3776-117-0x0000000000000000-mapping.dmp
-
memory/3944-118-0x0000000000000000-mapping.dmp
-
memory/4036-114-0x0000000000400000-0x00000000007AE000-memory.dmpFilesize
3.7MB
-
memory/4036-115-0x00000000001E0000-0x00000000001F6000-memory.dmpFilesize
88KB