Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
18-05-2021 11:45
Static task
static1
Behavioral task
behavioral1
Sample
104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe
Resource
win10v20210410
General
-
Target
104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe
-
Size
229KB
-
MD5
eec0cfe5a8f4cf730b8a67631aa1ac36
-
SHA1
631ee9945ef3e0e87d48e3b42899499f7bc1853b
-
SHA256
104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800
-
SHA512
fec77cda78f257c36839409fc9d353ec18647a29deee631d939667ad3db0e2cb5fbdd24b76e5dfcd41292a08f5694fecece286e04a8d338582a77853e1b0b01f
Malware Config
Signatures
-
GandCrab Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3876-115-0x0000000000AA0000-0x0000000000AB7000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\knmqummoame = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\pxpwnx.exe\"" 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exedescription ioc process File opened (read-only) \??\G: 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe File opened (read-only) \??\I: 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe File opened (read-only) \??\O: 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe File opened (read-only) \??\P: 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe File opened (read-only) \??\E: 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe File opened (read-only) \??\F: 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe File opened (read-only) \??\R: 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe File opened (read-only) \??\S: 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe File opened (read-only) \??\A: 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe File opened (read-only) \??\Q: 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe File opened (read-only) \??\T: 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe File opened (read-only) \??\U: 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe File opened (read-only) \??\W: 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe File opened (read-only) \??\Z: 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe File opened (read-only) \??\H: 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe File opened (read-only) \??\K: 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe File opened (read-only) \??\L: 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe File opened (read-only) \??\M: 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe File opened (read-only) \??\N: 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe File opened (read-only) \??\V: 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe File opened (read-only) \??\X: 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe File opened (read-only) \??\Y: 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe File opened (read-only) \??\B: 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe File opened (read-only) \??\J: 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2712 3876 WerFault.exe 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exeWerFault.exepid process 3876 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe 3876 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe 3876 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe 3876 104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2712 WerFault.exe Token: SeBackupPrivilege 2712 WerFault.exe Token: SeDebugPrivilege 2712 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe"C:\Users\Admin\AppData\Local\Temp\104c7975344f4baa614301e3527513a835fee34620f5eaeaee2ee904f8879800.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 12522⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken