gandcrab | 3d0c86a5a98c935592c136a0ebea22be344c10dcd2674438bc37e92337bb451f | Triage

Analysis

max time kernel
27s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
03-07-2022 04:26

Sharing

Report Analysis Logs

General

Target

3d0c86a5a98c935592c136a0ebea22be344c10dcd2674438bc37e92337bb451f.exe
Size

69KB
MD5

30d3a374032ae49b3fe51a26491aeb7a
SHA1

1439525db8cac84c917ec84b8171287f80925c50
SHA256

3d0c86a5a98c935592c136a0ebea22be344c10dcd2674438bc37e92337bb451f
SHA512

3073adfb211df33c5496960ab21f62577cf4bd3d09b8334921dfe0188d6e4914f0e9671d0673203642fd00d1ce42e9f76105b1ed3aaf43a680ef704f4648e9b6

Score

10^/10

gandcrab backdoor ransomware

Malware Config

Signatures

GandCrab Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1972-55-0x000000000F800000-0x000000000F816000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1936 1972 WerFault.exe 3d0c86a5a98c935592c136a0ebea22be344c10dcd2674438bc37e92337bb451f.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3d0c86a5a98c935592c136a0ebea22be344c10dcd2674438bc37e92337bb451f.exe

description	pid	process	target process
PID 1972 wrote to memory of 1936	1972	3d0c86a5a98c935592c136a0ebea22be344c10dcd2674438bc37e92337bb451f.exe	WerFault.exe
PID 1972 wrote to memory of 1936	1972	3d0c86a5a98c935592c136a0ebea22be344c10dcd2674438bc37e92337bb451f.exe	WerFault.exe
PID 1972 wrote to memory of 1936	1972	3d0c86a5a98c935592c136a0ebea22be344c10dcd2674438bc37e92337bb451f.exe	WerFault.exe
PID 1972 wrote to memory of 1936	1972	3d0c86a5a98c935592c136a0ebea22be344c10dcd2674438bc37e92337bb451f.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\3d0c86a5a98c935592c136a0ebea22be344c10dcd2674438bc37e92337bb451f.exe
"C:\Users\Admin\AppData\Local\Temp\3d0c86a5a98c935592c136a0ebea22be344c10dcd2674438bc37e92337bb451f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 124
2⤵
- Program crash
PID:1936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1936-56-0x0000000000000000-mapping.dmp

Download
memory/1972-54-0x0000000076721000-0x0000000076723000-memory.dmp

Filesize
8KB

Download
memory/1972-55-0x000000000F800000-0x000000000F816000-memory.dmp

Filesize
88KB

Download