Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
08/09/2022, 19:52
Static task
static1
Behavioral task
behavioral1
Sample
02bd27014c640ebf3a29efdea78f2817.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
02bd27014c640ebf3a29efdea78f2817.exe
Resource
win10v2004-20220901-en
General
-
Target
02bd27014c640ebf3a29efdea78f2817.exe
-
Size
301KB
-
MD5
02bd27014c640ebf3a29efdea78f2817
-
SHA1
27f34b7364474117cb50bca2eee3ebb5af67f5c2
-
SHA256
4c5681886e9ab4bb8f9afb0187bcb750a4420332d10539e6ba61d7c8870d6fa8
-
SHA512
6b3a0254a1fb05fff5b92e0a7a8fc2f52394d5899fe90a57e8194d1ae5930c50d26a28dd6638245b13b2367c170f46a9fa850670311d53eaef6581daecaa9608
-
SSDEEP
6144:rAOXfCzxaL+W8pZZz+FF4X4sYN+Qaf3AVwbLWJ:rVXfmax8PZz+v4+9Mu
Malware Config
Signatures
-
GandCrab payload 4 IoCs
resource yara_rule behavioral1/memory/1768-56-0x0000000000400000-0x0000000002387000-memory.dmp family_gandcrab behavioral1/memory/1768-59-0x0000000000400000-0x0000000002387000-memory.dmp family_gandcrab behavioral1/memory/1768-60-0x0000000000380000-0x0000000000397000-memory.dmp family_gandcrab behavioral1/memory/1768-65-0x0000000000380000-0x0000000000397000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 02bd27014c640ebf3a29efdea78f2817.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\buzwclfzadp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\fnobcl.exe\"" 02bd27014c640ebf3a29efdea78f2817.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: 02bd27014c640ebf3a29efdea78f2817.exe File opened (read-only) \??\X: 02bd27014c640ebf3a29efdea78f2817.exe File opened (read-only) \??\H: 02bd27014c640ebf3a29efdea78f2817.exe File opened (read-only) \??\F: 02bd27014c640ebf3a29efdea78f2817.exe File opened (read-only) \??\G: 02bd27014c640ebf3a29efdea78f2817.exe File opened (read-only) \??\I: 02bd27014c640ebf3a29efdea78f2817.exe File opened (read-only) \??\L: 02bd27014c640ebf3a29efdea78f2817.exe File opened (read-only) \??\M: 02bd27014c640ebf3a29efdea78f2817.exe File opened (read-only) \??\N: 02bd27014c640ebf3a29efdea78f2817.exe File opened (read-only) \??\Q: 02bd27014c640ebf3a29efdea78f2817.exe File opened (read-only) \??\A: 02bd27014c640ebf3a29efdea78f2817.exe File opened (read-only) \??\W: 02bd27014c640ebf3a29efdea78f2817.exe File opened (read-only) \??\S: 02bd27014c640ebf3a29efdea78f2817.exe File opened (read-only) \??\K: 02bd27014c640ebf3a29efdea78f2817.exe File opened (read-only) \??\O: 02bd27014c640ebf3a29efdea78f2817.exe File opened (read-only) \??\R: 02bd27014c640ebf3a29efdea78f2817.exe File opened (read-only) \??\T: 02bd27014c640ebf3a29efdea78f2817.exe File opened (read-only) \??\V: 02bd27014c640ebf3a29efdea78f2817.exe File opened (read-only) \??\E: 02bd27014c640ebf3a29efdea78f2817.exe File opened (read-only) \??\J: 02bd27014c640ebf3a29efdea78f2817.exe File opened (read-only) \??\U: 02bd27014c640ebf3a29efdea78f2817.exe File opened (read-only) \??\Y: 02bd27014c640ebf3a29efdea78f2817.exe File opened (read-only) \??\Z: 02bd27014c640ebf3a29efdea78f2817.exe File opened (read-only) \??\B: 02bd27014c640ebf3a29efdea78f2817.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 02bd27014c640ebf3a29efdea78f2817.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 02bd27014c640ebf3a29efdea78f2817.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 02bd27014c640ebf3a29efdea78f2817.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1768 02bd27014c640ebf3a29efdea78f2817.exe 1768 02bd27014c640ebf3a29efdea78f2817.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1768 wrote to memory of 524 1768 02bd27014c640ebf3a29efdea78f2817.exe 27 PID 1768 wrote to memory of 524 1768 02bd27014c640ebf3a29efdea78f2817.exe 27 PID 1768 wrote to memory of 524 1768 02bd27014c640ebf3a29efdea78f2817.exe 27 PID 1768 wrote to memory of 524 1768 02bd27014c640ebf3a29efdea78f2817.exe 27 PID 1768 wrote to memory of 560 1768 02bd27014c640ebf3a29efdea78f2817.exe 29 PID 1768 wrote to memory of 560 1768 02bd27014c640ebf3a29efdea78f2817.exe 29 PID 1768 wrote to memory of 560 1768 02bd27014c640ebf3a29efdea78f2817.exe 29 PID 1768 wrote to memory of 560 1768 02bd27014c640ebf3a29efdea78f2817.exe 29 PID 1768 wrote to memory of 1200 1768 02bd27014c640ebf3a29efdea78f2817.exe 31 PID 1768 wrote to memory of 1200 1768 02bd27014c640ebf3a29efdea78f2817.exe 31 PID 1768 wrote to memory of 1200 1768 02bd27014c640ebf3a29efdea78f2817.exe 31 PID 1768 wrote to memory of 1200 1768 02bd27014c640ebf3a29efdea78f2817.exe 31 PID 1768 wrote to memory of 1544 1768 02bd27014c640ebf3a29efdea78f2817.exe 33 PID 1768 wrote to memory of 1544 1768 02bd27014c640ebf3a29efdea78f2817.exe 33 PID 1768 wrote to memory of 1544 1768 02bd27014c640ebf3a29efdea78f2817.exe 33 PID 1768 wrote to memory of 1544 1768 02bd27014c640ebf3a29efdea78f2817.exe 33 PID 1768 wrote to memory of 1536 1768 02bd27014c640ebf3a29efdea78f2817.exe 35 PID 1768 wrote to memory of 1536 1768 02bd27014c640ebf3a29efdea78f2817.exe 35 PID 1768 wrote to memory of 1536 1768 02bd27014c640ebf3a29efdea78f2817.exe 35 PID 1768 wrote to memory of 1536 1768 02bd27014c640ebf3a29efdea78f2817.exe 35 PID 1768 wrote to memory of 976 1768 02bd27014c640ebf3a29efdea78f2817.exe 37 PID 1768 wrote to memory of 976 1768 02bd27014c640ebf3a29efdea78f2817.exe 37 PID 1768 wrote to memory of 976 1768 02bd27014c640ebf3a29efdea78f2817.exe 37 PID 1768 wrote to memory of 976 1768 02bd27014c640ebf3a29efdea78f2817.exe 37 PID 1768 wrote to memory of 1944 1768 02bd27014c640ebf3a29efdea78f2817.exe 39 PID 1768 wrote to memory of 1944 1768 02bd27014c640ebf3a29efdea78f2817.exe 39 PID 1768 wrote to memory of 1944 1768 02bd27014c640ebf3a29efdea78f2817.exe 39 PID 1768 wrote to memory of 1944 1768 02bd27014c640ebf3a29efdea78f2817.exe 39 PID 1768 wrote to memory of 2016 1768 02bd27014c640ebf3a29efdea78f2817.exe 41 PID 1768 wrote to memory of 2016 1768 02bd27014c640ebf3a29efdea78f2817.exe 41 PID 1768 wrote to memory of 2016 1768 02bd27014c640ebf3a29efdea78f2817.exe 41 PID 1768 wrote to memory of 2016 1768 02bd27014c640ebf3a29efdea78f2817.exe 41 PID 1768 wrote to memory of 1612 1768 02bd27014c640ebf3a29efdea78f2817.exe 43 PID 1768 wrote to memory of 1612 1768 02bd27014c640ebf3a29efdea78f2817.exe 43 PID 1768 wrote to memory of 1612 1768 02bd27014c640ebf3a29efdea78f2817.exe 43 PID 1768 wrote to memory of 1612 1768 02bd27014c640ebf3a29efdea78f2817.exe 43 PID 1768 wrote to memory of 956 1768 02bd27014c640ebf3a29efdea78f2817.exe 45 PID 1768 wrote to memory of 956 1768 02bd27014c640ebf3a29efdea78f2817.exe 45 PID 1768 wrote to memory of 956 1768 02bd27014c640ebf3a29efdea78f2817.exe 45 PID 1768 wrote to memory of 956 1768 02bd27014c640ebf3a29efdea78f2817.exe 45 PID 1768 wrote to memory of 1052 1768 02bd27014c640ebf3a29efdea78f2817.exe 47 PID 1768 wrote to memory of 1052 1768 02bd27014c640ebf3a29efdea78f2817.exe 47 PID 1768 wrote to memory of 1052 1768 02bd27014c640ebf3a29efdea78f2817.exe 47 PID 1768 wrote to memory of 1052 1768 02bd27014c640ebf3a29efdea78f2817.exe 47 PID 1768 wrote to memory of 1648 1768 02bd27014c640ebf3a29efdea78f2817.exe 49 PID 1768 wrote to memory of 1648 1768 02bd27014c640ebf3a29efdea78f2817.exe 49 PID 1768 wrote to memory of 1648 1768 02bd27014c640ebf3a29efdea78f2817.exe 49 PID 1768 wrote to memory of 1648 1768 02bd27014c640ebf3a29efdea78f2817.exe 49 PID 1768 wrote to memory of 1080 1768 02bd27014c640ebf3a29efdea78f2817.exe 51 PID 1768 wrote to memory of 1080 1768 02bd27014c640ebf3a29efdea78f2817.exe 51 PID 1768 wrote to memory of 1080 1768 02bd27014c640ebf3a29efdea78f2817.exe 51 PID 1768 wrote to memory of 1080 1768 02bd27014c640ebf3a29efdea78f2817.exe 51 PID 1768 wrote to memory of 1308 1768 02bd27014c640ebf3a29efdea78f2817.exe 53 PID 1768 wrote to memory of 1308 1768 02bd27014c640ebf3a29efdea78f2817.exe 53 PID 1768 wrote to memory of 1308 1768 02bd27014c640ebf3a29efdea78f2817.exe 53 PID 1768 wrote to memory of 1308 1768 02bd27014c640ebf3a29efdea78f2817.exe 53 PID 1768 wrote to memory of 1508 1768 02bd27014c640ebf3a29efdea78f2817.exe 55 PID 1768 wrote to memory of 1508 1768 02bd27014c640ebf3a29efdea78f2817.exe 55 PID 1768 wrote to memory of 1508 1768 02bd27014c640ebf3a29efdea78f2817.exe 55 PID 1768 wrote to memory of 1508 1768 02bd27014c640ebf3a29efdea78f2817.exe 55 PID 1768 wrote to memory of 1116 1768 02bd27014c640ebf3a29efdea78f2817.exe 57 PID 1768 wrote to memory of 1116 1768 02bd27014c640ebf3a29efdea78f2817.exe 57 PID 1768 wrote to memory of 1116 1768 02bd27014c640ebf3a29efdea78f2817.exe 57 PID 1768 wrote to memory of 1116 1768 02bd27014c640ebf3a29efdea78f2817.exe 57
Processes
-
C:\Users\Admin\AppData\Local\Temp\02bd27014c640ebf3a29efdea78f2817.exe"C:\Users\Admin\AppData\Local\Temp\02bd27014c640ebf3a29efdea78f2817.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:524
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:560
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1200
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1544
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1536
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:976
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1944
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:2016
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1612
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:956
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1052
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1648
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1080
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1308
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1508
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1116
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1148
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:760
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1480
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1068
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:556
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1700
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1524
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1704
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:596
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1924
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1824
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1920
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1196
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1576
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1600
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1744
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:800
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1464
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1564
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1800
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:744
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1656
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1532
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:672
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:832
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1956
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:980
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1732
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1596
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:856
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1900
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1476
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:828
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1104
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:548
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:676
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1764
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:816
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1652
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1912
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:748
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1460
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1384
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1408
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1484
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1720
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1696
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:572
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1156
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:624
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1904
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:2008
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1440
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:924
-