gandcrab | 421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de

General

Target

421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
Size

410KB
MD5

3a6c7506de79ae783f718bc6701fd244
SHA1

a5601ae8bc95cbb887aac2face46d911527c6c2b
SHA256

421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de
SHA512

3010eda9988f31b642b130e71c401dcb9642d2e2c0518741e4455e4e9245d8d4484b8dcd77e124dde798567efa74b725b2b831ecd958f72d2230efa37f11707c

Score

10^/10

gandcrab backdoor ransomware

Malware Config

Signatures

GandCrab payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1304-136-0x0000000000720000-0x0000000000748000-memory.dmp	family_gandcrab
behavioral2/memory/1304-140-0x0000000000720000-0x0000000000748000-memory.dmp	family_gandcrab
behavioral2/memory/1304-144-0x0000000000720000-0x0000000000748000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab

Suspicious use of SetThreadContext 1 IoCs

Processes:

421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe

description	pid	process	target process
PID 5060 set thread context of 1304	5060	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4732 1304 WerFault.exe 421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe

description pid process

Token: SeDebugPrivilege 5060 421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe

pid	pid_target	process	target process
4732	1304	WerFault.exe	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe

description	pid	process
Token: SeDebugPrivilege	5060	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe

description	pid	process	target process
PID 5060 wrote to memory of 1304	5060	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
PID 5060 wrote to memory of 1304	5060	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
PID 5060 wrote to memory of 1304	5060	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
PID 5060 wrote to memory of 1304	5060	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
PID 5060 wrote to memory of 1304	5060	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
PID 5060 wrote to memory of 1304	5060	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
PID 5060 wrote to memory of 1304	5060	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
PID 5060 wrote to memory of 1304	5060	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
PID 5060 wrote to memory of 1304	5060	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
PID 5060 wrote to memory of 1304	5060	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe

C:\Users\Admin\AppData\Local\Temp\421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
"C:\Users\Admin\AppData\Local\Temp\421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060

C:\Users\Admin\AppData\Local\Temp\421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
"C:\Users\Admin\AppData\Local\Temp\421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe"
2⤵
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 188
3⤵
- Program crash
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1304 -ip 1304
1⤵
PID:1572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1304-134-0x0000000000000000-mapping.dmp

Download
memory/1304-136-0x0000000000720000-0x0000000000748000-memory.dmp

Filesize
160KB

Download
memory/1304-140-0x0000000000720000-0x0000000000748000-memory.dmp

Filesize
160KB

Download
memory/1304-144-0x0000000000720000-0x0000000000748000-memory.dmp

Filesize
160KB

Download
memory/5060-130-0x0000000000950000-0x00000000009BA000-memory.dmp

Filesize
424KB

Download
memory/5060-131-0x0000000005950000-0x0000000005EF4000-memory.dmp

Filesize
5.6MB

Download
memory/5060-132-0x00000000053A0000-0x0000000005432000-memory.dmp

Filesize
584KB

Download
memory/5060-133-0x00000000056D0000-0x000000000576C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads