gandcrab | e3b89d8b16ce7e12fd2adc93ad8998a423699401885aca2fed051cac7d5b3b3c

Analysis

max time kernel
93s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
Size

300KB
MD5

bcfe609eeb073d7d0d072b890581e3e0
SHA1

88a4ddaff03953add5dcdcc9a8436653549ed3c3
SHA256

e3b89d8b16ce7e12fd2adc93ad8998a423699401885aca2fed051cac7d5b3b3c
SHA512

541ad4fdbf6f6d8128c1d8ba71d54af3737cd5d64f844e61e23e07b3e8bef85d6dabb7e131af253c24476f078a0d3bcf28bd072d93b44f76f20d4ce19a0fc582
SSDEEP

6144:5vEANMO1UnseVgkV0xwvfxnhLTiusLe1740B:quM0Unsna5mut40B

Score

10^/10

gandcrab backdoor ransomware

Malware Config

Signatures

GandCrab payload 2 IoCs

resource	yara_rule
behavioral2/memory/1504-1-0x0000000000400000-0x0000000003B9B000-memory.dmp	family_gandcrab
behavioral2/memory/1504-2-0x00000000059B0000-0x00000000059C7000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab

Detects Reflective DLL injection artifacts 2 IoCs

resource	yara_rule
behavioral2/memory/1504-1-0x0000000000400000-0x0000000003B9B000-memory.dmp	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/memory/1504-2-0x00000000059B0000-0x00000000059C7000-memory.dmp	INDICATOR_SUSPICIOUS_ReflectiveLoader

Detects ransomware indicator 1 IoCs

resource	yara_rule
behavioral2/memory/1504-2-0x00000000059B0000-0x00000000059C7000-memory.dmp	SUSP_RANSOMWARE_Indicator_Jul20

Gandcrab Payload 2 IoCs

resource	yara_rule
behavioral2/memory/1504-1-0x0000000000400000-0x0000000003B9B000-memory.dmp	Gandcrab
behavioral2/memory/1504-2-0x00000000059B0000-0x00000000059C7000-memory.dmp	Gandcrab

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4664	1504	WerFault.exe	86

Suspicious use of SetWindowsHookAW 64 IoCs

pid	Process
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
1504	2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-04_bcfe609eeb073d7d0d072b890581e3e0_mafia.exe"
1⤵
- Suspicious use of SetWindowsHookAW
PID:1504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 492
  2⤵
  - Program crash
  PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1504 -ip 1504
1⤵
PID:5100

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1504-0-0x0000000005900000-0x000000000591B000-memory.dmp

Filesize
108KB

Download
memory/1504-1-0x0000000000400000-0x0000000003B9B000-memory.dmp

Filesize
55.6MB

Download
memory/1504-2-0x00000000059B0000-0x00000000059C7000-memory.dmp

Filesize
92KB

Download
memory/1504-6-0x0000000005900000-0x000000000591B000-memory.dmp

Filesize
108KB

Download