Overview

overview

10

Static

static

3

2024-02-22...ia.exe

windows7-x64

10

2024-02-22...ia.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/02/2024, 06:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-22_5186db197edcf4cb5cf73e0e71a8d5ea_mafia.exe

  • Size

    351KB

  • MD5

    5186db197edcf4cb5cf73e0e71a8d5ea

  • SHA1

    e5f53eb2b733400f82f4f04d1a488c22b5c2713d

  • SHA256

    93e27079b4b754959dd45d178fe2e1e27ab87beed471898c8279336c3e79f391

  • SHA512

    d985910c3aaef37a1f409ea43578b79223336557dbe10fd7a61ed77ac3b38e6cb9cc9429e9044b4c61a081fd7677a59c756f6458231f56b387446d794b2e926a

  • SSDEEP

    3072:ApNMs+Kr1wbWGjl0xjsNNeVKBNVBxKT46xl+wndfIQQOaC3QBn7/hsb2BhGZ1/Nb:ApNMsLWEjsXjBATRpuuwnGD/Nj6a

Score
10/10
gandcrabbackdoorpersistenceransomware

Malware Config

Signatures

  • GandCrab payload 3 IoCs
  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Detects Reflective DLL injection artifacts 3 IoCs
  • Detects ransomware indicator 2 IoCs
  • Gandcrab Payload 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-22_5186db197edcf4cb5cf73e0e71a8d5ea_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-22_5186db197edcf4cb5cf73e0e71a8d5ea_mafia.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup carder.bit ns1.wowservers.ru
      2⤵
        PID:1460
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 1228
        2⤵
        • Program crash
        PID:4328
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1940 -ip 1940
      1⤵
        PID:4840

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1940-1-0x00000000014A0000-0x00000000015A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1940-2-0x0000000000400000-0x00000000012D6000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/1940-3-0x0000000000400000-0x00000000012D6000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/1940-4-0x0000000001470000-0x0000000001487000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1940-11-0x0000000001470000-0x0000000001487000-memory.dmp

        Filesize

        92KB

        Download