Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
15-09-2023 17:20
General
-
Target
2023-08-25_dc05502d3f3f90fff8f238acd1968b37_mafia_JC.exe
-
Size
250KB
-
MD5
dc05502d3f3f90fff8f238acd1968b37
-
SHA1
687eaed7a2ea82eb8cf52e50464318aef6fa8be1
-
SHA256
585099816a6edd82a0a8c7495d164595910782e9c640cc55a96863b9239c0fdc
-
SHA512
e8f064da02e37174b677c7ed2a0c3c90f95208ff82f0d7e3d3a64ffd276104b87b66a9af2d389f8006af979ea3bbb2e3c51d35409a82bb25b605381a628520c5
-
SSDEEP
3072:D/yK5d0Gj0+nY3uEBLvBNfdUR2/qFnB8o2+vU3WuvIBuj00nReaXkuSQ7cdOd3:D/y20Gj0r+EBFrkvlU3RvIUDOIN
Malware Config
Signatures
-
GandCrab payload 4 IoCs
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 52 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-08-25_dc05502d3f3f90fff8f238acd1968b37_mafia_JC.exe"C:\Users\Admin\AppData\Local\Temp\2023-08-25_dc05502d3f3f90fff8f238acd1968b37_mafia_JC.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2180-2-0x00000000002B0000-0x00000000003B0000-memory.dmpFilesize
1024KB
-
memory/2180-3-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/2180-5-0x00000000001B0000-0x00000000001C7000-memory.dmpFilesize
92KB
-
memory/2180-4-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/2180-12-0x00000000002B0000-0x00000000003B0000-memory.dmpFilesize
1024KB
-
memory/2180-13-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/2180-15-0x00000000001B0000-0x00000000001C7000-memory.dmpFilesize
92KB