gandcrab | 18b87438a4cbabbbbf0fadfe871645f47d9c6daa19450e031244744411cb631b

Analysis

max time kernel
142s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2023, 13:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
Size

145KB
MD5

70a7bb7feea71169c8b41b1b15f49882
SHA1

3dd9cda80e1559e6d0c431ec3fd8b1c0667d8e26
SHA256

18b87438a4cbabbbbf0fadfe871645f47d9c6daa19450e031244744411cb631b
SHA512

2e6f8a19d3fdb83ab3845300e88414347a23679c1e6da67006d1b000e953cff08f1b16d057e39edbf0b5abdbb693a601d5a34aa48bc5188104dcd6a6aec30fc8
SSDEEP

3072:7YHVHd2NCMqqDL2/mr3IdE8we0Avu5r++ygLIaagvdCjRv9OtN:7yOqqDL64vdGREz

Score

10^/10

gandcrab backdoor persistence ransomware

Malware Config

Signatures

GandCrab payload 2 IoCs

resource	yara_rule
behavioral2/memory/3428-133-0x0000000000400000-0x0000000000428000-memory.dmp	family_gandcrab
behavioral2/memory/3428-137-0x0000000000400000-0x0000000000428000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vpjmfjcyzlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe"	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
File opened (read-only)	\??\L:	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
File opened (read-only)	\??\R:	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
File opened (read-only)	\??\V:	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
File opened (read-only)	\??\A:	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
File opened (read-only)	\??\G:	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
File opened (read-only)	\??\I:	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
File opened (read-only)	\??\U:	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
File opened (read-only)	\??\Z:	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
File opened (read-only)	\??\B:	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
File opened (read-only)	\??\K:	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
File opened (read-only)	\??\M:	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
File opened (read-only)	\??\O:	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
File opened (read-only)	\??\P:	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
File opened (read-only)	\??\T:	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
File opened (read-only)	\??\X:	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
File opened (read-only)	\??\H:	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
File opened (read-only)	\??\J:	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
File opened (read-only)	\??\N:	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
File opened (read-only)	\??\Q:	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
File opened (read-only)	\??\S:	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
File opened (read-only)	\??\W:	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
File opened (read-only)	\??\Y:	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 1264	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	83
PID 3428 wrote to memory of 1264	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	83
PID 3428 wrote to memory of 1264	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	83
PID 3428 wrote to memory of 4908	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	92
PID 3428 wrote to memory of 4908	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	92
PID 3428 wrote to memory of 4908	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	92
PID 3428 wrote to memory of 2180	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	94
PID 3428 wrote to memory of 2180	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	94
PID 3428 wrote to memory of 2180	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	94
PID 3428 wrote to memory of 1728	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	97
PID 3428 wrote to memory of 1728	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	97
PID 3428 wrote to memory of 1728	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	97
PID 3428 wrote to memory of 1060	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	99
PID 3428 wrote to memory of 1060	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	99
PID 3428 wrote to memory of 1060	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	99
PID 3428 wrote to memory of 1244	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	101
PID 3428 wrote to memory of 1244	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	101
PID 3428 wrote to memory of 1244	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	101
PID 3428 wrote to memory of 4024	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	103
PID 3428 wrote to memory of 4024	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	103
PID 3428 wrote to memory of 4024	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	103
PID 3428 wrote to memory of 1092	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	105
PID 3428 wrote to memory of 1092	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	105
PID 3428 wrote to memory of 1092	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	105
PID 3428 wrote to memory of 692	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	107
PID 3428 wrote to memory of 692	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	107
PID 3428 wrote to memory of 692	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	107
PID 3428 wrote to memory of 796	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	109
PID 3428 wrote to memory of 796	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	109
PID 3428 wrote to memory of 796	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	109
PID 3428 wrote to memory of 1164	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	111
PID 3428 wrote to memory of 1164	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	111
PID 3428 wrote to memory of 1164	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	111
PID 3428 wrote to memory of 3400	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	113
PID 3428 wrote to memory of 3400	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	113
PID 3428 wrote to memory of 3400	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	113
PID 3428 wrote to memory of 2844	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	115
PID 3428 wrote to memory of 2844	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	115
PID 3428 wrote to memory of 2844	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	115
PID 3428 wrote to memory of 4248	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	117
PID 3428 wrote to memory of 4248	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	117
PID 3428 wrote to memory of 4248	3428	70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe	117

C:\Users\Admin\AppData\Local\Temp\70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe
"C:\Users\Admin\AppData\Local\Temp\70a7bb7feea71169c8b41b1b15f49882_gandcrab_JC.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:1264
- C:\Windows\SysWOW64\nslookup.exe
  nslookup emsisoft.bit dns1.soprodns.ru
  2⤵
  PID:4908
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:2180
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:1728
- C:\Windows\SysWOW64\nslookup.exe
  nslookup emsisoft.bit dns1.soprodns.ru
  2⤵
  PID:1060
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:1244
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:4024
- C:\Windows\SysWOW64\nslookup.exe
  nslookup emsisoft.bit dns1.soprodns.ru
  2⤵
  PID:1092
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:692
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:796
- C:\Windows\SysWOW64\nslookup.exe
  nslookup emsisoft.bit dns1.soprodns.ru
  2⤵
  PID:1164
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:3400
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:2844
- C:\Windows\SysWOW64\nslookup.exe
  nslookup emsisoft.bit dns1.soprodns.ru
  2⤵
  PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3428-133-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3428-137-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download