Analysis
-
max time kernel
120s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 17:37
Static task
static1
Behavioral task
behavioral1
Sample
edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exe
Resource
win10-en-20211208
General
-
Target
edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exe
-
Size
139KB
-
MD5
f0b616050bbab2b65110379cd4b448af
-
SHA1
98eb3b8d0ed6def28b8b0f4138ba760019fdb4fe
-
SHA256
edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62
-
SHA512
6f785a8018f65a8636dbdd265a57081be9d3151ce7034ae7cb56067b8624916af490570569f3d4082119b34908239ae5745e1b6bc67e0e2081cef4d29ed0a956
Malware Config
Signatures
-
GandCrab Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1892-55-0x0000000000840000-0x0000000000868000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1192 1892 WerFault.exe edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1192 WerFault.exe 1192 WerFault.exe 1192 WerFault.exe 1192 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1192 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1192 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exedescription pid process target process PID 1892 wrote to memory of 1192 1892 edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exe WerFault.exe PID 1892 wrote to memory of 1192 1892 edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exe WerFault.exe PID 1892 wrote to memory of 1192 1892 edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exe WerFault.exe PID 1892 wrote to memory of 1192 1892 edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exe"C:\Users\Admin\AppData\Local\Temp\edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 1682⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken