gandcrab | edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62

Analysis

Target

edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exe
Size

139KB
MD5

f0b616050bbab2b65110379cd4b448af
SHA1

98eb3b8d0ed6def28b8b0f4138ba760019fdb4fe
SHA256

edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62
SHA512

6f785a8018f65a8636dbdd265a57081be9d3151ce7034ae7cb56067b8624916af490570569f3d4082119b34908239ae5745e1b6bc67e0e2081cef4d29ed0a956

Score

10^/10

GandCrab Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1892-55-0x0000000000840000-0x0000000000868000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1192 1892 WerFault.exe edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1192 WerFault.exe
1192 WerFault.exe
1192 WerFault.exe
1192 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1192 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1192 WerFault.exe

pid	pid_target	process	target process
1192	1892	WerFault.exe	edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exe

pid	process
1192	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1192	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exe

description	pid	process	target process
PID 1892 wrote to memory of 1192	1892	edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exe	WerFault.exe
PID 1892 wrote to memory of 1192	1892	edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exe	WerFault.exe
PID 1892 wrote to memory of 1192	1892	edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exe	WerFault.exe
PID 1892 wrote to memory of 1192	1892	edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exe
"C:\Users\Admin\AppData\Local\Temp\edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1892

memory/1192-58-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/1892-54-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/1892-55-0x0000000000840000-0x0000000000868000-memory.dmp

Filesize
160KB

Download