Analysis
-
max time kernel
27s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-07-2022 04:26
Static task
static1
Behavioral task
behavioral1
Sample
3d0c86a5a98c935592c136a0ebea22be344c10dcd2674438bc37e92337bb451f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3d0c86a5a98c935592c136a0ebea22be344c10dcd2674438bc37e92337bb451f.exe
Resource
win10v2004-20220414-en
General
-
Target
3d0c86a5a98c935592c136a0ebea22be344c10dcd2674438bc37e92337bb451f.exe
-
Size
69KB
-
MD5
30d3a374032ae49b3fe51a26491aeb7a
-
SHA1
1439525db8cac84c917ec84b8171287f80925c50
-
SHA256
3d0c86a5a98c935592c136a0ebea22be344c10dcd2674438bc37e92337bb451f
-
SHA512
3073adfb211df33c5496960ab21f62577cf4bd3d09b8334921dfe0188d6e4914f0e9671d0673203642fd00d1ce42e9f76105b1ed3aaf43a680ef704f4648e9b6
Malware Config
Signatures
-
GandCrab Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1972-55-0x000000000F800000-0x000000000F816000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1936 1972 WerFault.exe 3d0c86a5a98c935592c136a0ebea22be344c10dcd2674438bc37e92337bb451f.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
3d0c86a5a98c935592c136a0ebea22be344c10dcd2674438bc37e92337bb451f.exedescription pid process target process PID 1972 wrote to memory of 1936 1972 3d0c86a5a98c935592c136a0ebea22be344c10dcd2674438bc37e92337bb451f.exe WerFault.exe PID 1972 wrote to memory of 1936 1972 3d0c86a5a98c935592c136a0ebea22be344c10dcd2674438bc37e92337bb451f.exe WerFault.exe PID 1972 wrote to memory of 1936 1972 3d0c86a5a98c935592c136a0ebea22be344c10dcd2674438bc37e92337bb451f.exe WerFault.exe PID 1972 wrote to memory of 1936 1972 3d0c86a5a98c935592c136a0ebea22be344c10dcd2674438bc37e92337bb451f.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d0c86a5a98c935592c136a0ebea22be344c10dcd2674438bc37e92337bb451f.exe"C:\Users\Admin\AppData\Local\Temp\3d0c86a5a98c935592c136a0ebea22be344c10dcd2674438bc37e92337bb451f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 1242⤵
- Program crash