Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-06-2022 00:11
General
-
Target
3570b95ea454efd6735bf4942d69521d608ab7d0c9745cfa636f1107acc6a23c.exe
-
Size
254KB
-
MD5
200914872736a72a37d2433460f4dfb7
-
SHA1
c9d8bb9fd2472f1af12bfb3a9594e4ad767e8361
-
SHA256
3570b95ea454efd6735bf4942d69521d608ab7d0c9745cfa636f1107acc6a23c
-
SHA512
95b2ef953e80f81a535de70e359cf14055621f0cc6f3e54247258cd7781f6db7ad38a2457f5523ce25d252a53ad52cab7230fe7da662d582fc1fe67acac38f3a
Score
10/10
Malware Config
Signatures
-
GandCrab Payload 4 IoCs
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
suricata: ET MALWARE Observed GandCrab Domain (gandcrab .bit)
suricata: ET MALWARE Observed GandCrab Domain (gandcrab .bit)
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3570b95ea454efd6735bf4942d69521d608ab7d0c9745cfa636f1107acc6a23c.exe"C:\Users\Admin\AppData\Local\Temp\3570b95ea454efd6735bf4942d69521d608ab7d0c9745cfa636f1107acc6a23c.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/112-87-0x0000000000000000-mapping.dmp
-
memory/268-76-0x0000000000000000-mapping.dmp
-
memory/280-122-0x0000000000000000-mapping.dmp
-
memory/300-77-0x0000000000000000-mapping.dmp
-
memory/316-119-0x0000000000000000-mapping.dmp
-
memory/324-96-0x0000000000000000-mapping.dmp
-
memory/340-108-0x0000000000000000-mapping.dmp
-
memory/456-84-0x0000000000000000-mapping.dmp
-
memory/536-60-0x0000000000000000-mapping.dmp
-
memory/672-82-0x0000000000000000-mapping.dmp
-
memory/684-105-0x0000000000000000-mapping.dmp
-
memory/688-86-0x0000000000000000-mapping.dmp
-
memory/756-120-0x0000000000000000-mapping.dmp
-
memory/768-80-0x0000000000000000-mapping.dmp
-
memory/772-113-0x0000000000000000-mapping.dmp
-
memory/828-91-0x0000000000000000-mapping.dmp
-
memory/848-85-0x0000000000000000-mapping.dmp
-
memory/896-94-0x0000000000000000-mapping.dmp
-
memory/904-73-0x0000000000000000-mapping.dmp
-
memory/912-90-0x0000000000000000-mapping.dmp
-
memory/920-118-0x0000000000000000-mapping.dmp
-
memory/972-65-0x0000000000000000-mapping.dmp
-
memory/976-95-0x0000000000000000-mapping.dmp
-
memory/984-62-0x0000000000000000-mapping.dmp
-
memory/1072-102-0x0000000000000000-mapping.dmp
-
memory/1128-114-0x0000000000000000-mapping.dmp
-
memory/1132-117-0x0000000000000000-mapping.dmp
-
memory/1188-101-0x0000000000000000-mapping.dmp
-
memory/1196-99-0x0000000000000000-mapping.dmp
-
memory/1228-71-0x0000000000000000-mapping.dmp
-
memory/1236-107-0x0000000000000000-mapping.dmp
-
memory/1264-75-0x0000000000000000-mapping.dmp
-
memory/1308-70-0x0000000000000000-mapping.dmp
-
memory/1344-103-0x0000000000000000-mapping.dmp
-
memory/1348-88-0x0000000000000000-mapping.dmp
-
memory/1380-109-0x0000000000000000-mapping.dmp
-
memory/1388-106-0x0000000000000000-mapping.dmp
-
memory/1504-116-0x0000000000000000-mapping.dmp
-
memory/1516-112-0x0000000000000000-mapping.dmp
-
memory/1528-124-0x0000000000000000-mapping.dmp
-
memory/1552-72-0x0000000000000000-mapping.dmp
-
memory/1564-98-0x0000000000000000-mapping.dmp
-
memory/1600-74-0x0000000000000000-mapping.dmp
-
memory/1612-64-0x0000000000230000-0x0000000000254000-memory.dmpFilesize
144KB
-
memory/1612-55-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/1612-57-0x00000000005A2000-0x00000000005C1000-memory.dmpFilesize
124KB
-
memory/1612-58-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/1612-54-0x0000000076531000-0x0000000076533000-memory.dmpFilesize
8KB
-
memory/1612-59-0x0000000000230000-0x0000000000254000-memory.dmpFilesize
144KB
-
memory/1612-63-0x00000000005A2000-0x00000000005C1000-memory.dmpFilesize
124KB
-
memory/1628-100-0x0000000000000000-mapping.dmp
-
memory/1636-121-0x0000000000000000-mapping.dmp
-
memory/1640-66-0x0000000000000000-mapping.dmp
-
memory/1648-123-0x0000000000000000-mapping.dmp
-
memory/1656-97-0x0000000000000000-mapping.dmp
-
memory/1668-81-0x0000000000000000-mapping.dmp
-
memory/1680-115-0x0000000000000000-mapping.dmp
-
memory/1688-78-0x0000000000000000-mapping.dmp
-
memory/1696-79-0x0000000000000000-mapping.dmp
-
memory/1716-68-0x0000000000000000-mapping.dmp
-
memory/1744-67-0x0000000000000000-mapping.dmp
-
memory/1748-104-0x0000000000000000-mapping.dmp
-
memory/1784-110-0x0000000000000000-mapping.dmp
-
memory/1804-83-0x0000000000000000-mapping.dmp
-
memory/1824-92-0x0000000000000000-mapping.dmp
-
memory/1856-111-0x0000000000000000-mapping.dmp
-
memory/1892-93-0x0000000000000000-mapping.dmp
-
memory/1936-61-0x0000000000000000-mapping.dmp
-
memory/1980-89-0x0000000000000000-mapping.dmp
-
memory/2040-69-0x0000000000000000-mapping.dmp