Analysis
-
max time kernel
119s -
max time network
138s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 17:37
Static task
static1
Behavioral task
behavioral1
Sample
edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exe
Resource
win10-en-20211208
General
-
Target
edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exe
-
Size
139KB
-
MD5
f0b616050bbab2b65110379cd4b448af
-
SHA1
98eb3b8d0ed6def28b8b0f4138ba760019fdb4fe
-
SHA256
edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62
-
SHA512
6f785a8018f65a8636dbdd265a57081be9d3151ce7034ae7cb56067b8624916af490570569f3d4082119b34908239ae5745e1b6bc67e0e2081cef4d29ed0a956
Malware Config
Signatures
-
GandCrab Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2440-116-0x0000000000C90000-0x0000000000CB8000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3780 2440 WerFault.exe edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3780 WerFault.exe Token: SeBackupPrivilege 3780 WerFault.exe Token: SeDebugPrivilege 3780 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exe"C:\Users\Admin\AppData\Local\Temp\edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 5282⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2440-116-0x0000000000C90000-0x0000000000CB8000-memory.dmpFilesize
160KB