gandcrab | 41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf

General

Target

41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Size

231KB
MD5

1d364a0c31c32d46b5efe2598125818f
SHA1

11404f54bd4a3168a152b9af177f13bc481fa576
SHA256

41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf
SHA512

3e39a071666b0f6c00c86a445e401898b22bf2de99e8c632a89032364620acef8bc016dce0bd522172421f1b97197ef7e673c4e840b41c37ca4a029753c82fe8

Score

10^/10

gandcrab backdoor ransomware

Malware Config

Signatures

GandCrab payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3332-132-0x0000000000400000-0x0000000000B49000-memory.dmp	family_gandcrab
behavioral2/memory/3332-134-0x0000000000CB0000-0x0000000000CC7000-memory.dmp	family_gandcrab
behavioral2/memory/3332-136-0x0000000000400000-0x0000000000B49000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Drops file in Windows directory 1 IoCs

Processes:

41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe

description ioc process

File opened for modification C:\Windows\win.ini 41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4176 3332 WerFault.exe 41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe

pid	pid_target	process	target process
4176	3332	WerFault.exe	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe

Checks SCSI registry key(s) 3 TTPs 10 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe

description	pid	process
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
Token: SeLoadDriverPrivilege	3332	41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe

C:\Users\Admin\AppData\Local\Temp\41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe
"C:\Users\Admin\AppData\Local\Temp\41c35a69a2313fec2dbf6b2ba8813a5e3ee3adf6a48491ca2b7b9a0110e54adf.exe"
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 556
2⤵
- Program crash
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3332 -ip 3332
1⤵
PID:4192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3332-130-0x0000000000DDE000-0x0000000000DFA000-memory.dmp

Filesize
112KB

Download
memory/3332-131-0x0000000000400000-0x0000000000B49000-memory.dmp

Filesize
7.3MB

Download
memory/3332-132-0x0000000000400000-0x0000000000B49000-memory.dmp

Filesize
7.3MB

Download
memory/3332-134-0x0000000000CB0000-0x0000000000CC7000-memory.dmp

Filesize
92KB

Download
memory/3332-135-0x0000000000DDE000-0x0000000000DFA000-memory.dmp

Filesize
112KB

Download
memory/3332-136-0x0000000000400000-0x0000000000B49000-memory.dmp

Filesize
7.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads