gandcrab | f2157f37097464747d2ad1eb6bced742668aa9dc4f5d333fdc1a1e0def445816

Analysis

max time kernel
1s
max time network
164s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-01-2024 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
Size

319KB
MD5

cccc79bc1c613415bc69ba3f44ff14bf
SHA1

5083372da65f2815e552f5d5126560cd1d7f81fc
SHA256

f2157f37097464747d2ad1eb6bced742668aa9dc4f5d333fdc1a1e0def445816
SHA512

ef55e155d98b99d6f9e81d40f21a79b4fcb22eb407b69feb9fa016e86c3dd0e63b134ae9575344918bf1c13d45cfdfb659f525b9f5f8b3f9be1f199fdbb33e84
SSDEEP

3072:kkLFqoITs8+GgzXKhp6vFcBNTjbL617AL6MfUL1OeV7LGyH0Bme3BdcpFbMT9O:kkLFAYz7z6hp2W1L61ALCOk7LhdeROuO

Score

10^/10

gandcrab backdoor ransomware

Malware Config

Signatures

GandCrab payload 4 IoCs

resource	yara_rule
behavioral1/memory/2080-2-0x0000000000280000-0x0000000000297000-memory.dmp	family_gandcrab
behavioral1/memory/2080-1-0x0000000000400000-0x0000000004B6E000-memory.dmp	family_gandcrab
behavioral1/memory/2080-9-0x0000000000400000-0x0000000004B6E000-memory.dmp	family_gandcrab
behavioral1/memory/2080-12-0x0000000000280000-0x0000000000297000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183

Suspicious use of SetWindowsHookAW 64 IoCs

pid	Process
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
2080	2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-11_cccc79bc1c613415bc69ba3f44ff14bf_mafia.exe"
1⤵
- Suspicious use of SetWindowsHookAW
PID:2080
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:2284
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:2660
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:2636
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:2380
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:2872
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:2920
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:1712
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:2548
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:1936
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:1484
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:944
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:3060
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:2668
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:820
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:1312
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:2216
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:1064
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:1820
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:2436
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:332
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:1428
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:940
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:368
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:900
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:1552
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:3068
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:2344
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:1232
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:2072
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:2764
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:1220
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:2720
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:1444

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2080-0-0x00000000001B0000-0x00000000001CB000-memory.dmp

Filesize
108KB

Download
memory/2080-2-0x0000000000280000-0x0000000000297000-memory.dmp

Filesize
92KB

Download
memory/2080-1-0x0000000000400000-0x0000000004B6E000-memory.dmp

Filesize
71.4MB

Download
memory/2080-9-0x0000000000400000-0x0000000004B6E000-memory.dmp

Filesize
71.4MB

Download
memory/2080-11-0x00000000001B0000-0x00000000001CB000-memory.dmp

Filesize
108KB

Download
memory/2080-12-0x0000000000280000-0x0000000000297000-memory.dmp

Filesize
92KB

Download