Analysis

  • max time kernel
    141s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/08/2023, 18:16

General

  • Target

    88008879360d79106c8cdbd409b3950f_mafia_JC.exe

  • Size

    319KB

  • MD5

    88008879360d79106c8cdbd409b3950f

  • SHA1

    c8c7fd30690eba3d7de98f520bf567e33447aafb

  • SHA256

    fdc466475c9e702d73a31a740be14066fb220d8dd8b7888b21f161a4ab237ef1

  • SHA512

    e90e64e8edf1e95efb9d53a895e791cc6fe89037045067f55732cc4b121408690243bcc407c1d4811379e24aa74717f2bf45e8def1ff313fd96a77f34214dcb8

  • SSDEEP

    3072:/LFqoITs8+GgzXKhp6vFcBNTjbL617AL6MfUL1OeV7LGyH0Bme3BdcpFbMT9O:/LFAYz7z6hp2W1L61ALCOk7LhdeROuO

Malware Config

Signatures

  • GandCrab payload 2 IoCs
  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

  • Program crash 1 IoCs
  • Suspicious use of SetWindowsHookAW 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\88008879360d79106c8cdbd409b3950f_mafia_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\88008879360d79106c8cdbd409b3950f_mafia_JC.exe"
    1⤵
    • Suspicious use of SetWindowsHookAW
    PID:4920
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 468
      2⤵
      • Program crash
      PID:3796
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4920 -ip 4920
    1⤵
      PID:2032

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4920-0-0x00000000068B0000-0x00000000068CB000-memory.dmp

      Filesize

      108KB

    • memory/4920-1-0x0000000000400000-0x0000000004B6E000-memory.dmp

      Filesize

      71.4MB

    • memory/4920-3-0x00000000068F0000-0x0000000006907000-memory.dmp

      Filesize

      92KB

    • memory/4920-7-0x00000000068B0000-0x00000000068CB000-memory.dmp

      Filesize

      108KB