Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/03/2024, 03:11
Static task
static1
Behavioral task
behavioral1
Sample
a9746c942c665567a9285df17f325506.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a9746c942c665567a9285df17f325506.exe
Resource
win10v2004-20240226-en
General
-
Target
a9746c942c665567a9285df17f325506.exe
-
Size
250KB
-
MD5
a9746c942c665567a9285df17f325506
-
SHA1
6f0cfd31f2ec39051f7ccb3d9f5590e0d4a83bcb
-
SHA256
f4bc6c510f2c555db083fa55b6c941c62e7e5e476dd020fe2ebd615d61bbdf1f
-
SHA512
29b9f2bc73459d0cce9262a4e4bd72b3a5082cd8f7062687be757cffab6a42d4156d01b0707d61d97cf7ae4633fa86c03cd20dcb9e34b9d5ccc3d9b76a5e1143
-
SSDEEP
6144:z+YrOIBjaklexBgiJ8sTSIkIpxIp8mDtfPBRwasxXq:HOCjaklYgVIpxIhDtR
Malware Config
Signatures
-
GandCrab payload 4 IoCs
resource yara_rule behavioral1/memory/2188-3-0x0000000000400000-0x0000000000444000-memory.dmp family_gandcrab behavioral1/memory/2188-4-0x0000000000240000-0x0000000000257000-memory.dmp family_gandcrab behavioral1/memory/2188-11-0x0000000000400000-0x0000000000444000-memory.dmp family_gandcrab behavioral1/memory/2188-13-0x0000000000240000-0x0000000000257000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\iunqcotbuxd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\pwuofd.exe\"" a9746c942c665567a9285df17f325506.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: a9746c942c665567a9285df17f325506.exe File opened (read-only) \??\K: a9746c942c665567a9285df17f325506.exe File opened (read-only) \??\T: a9746c942c665567a9285df17f325506.exe File opened (read-only) \??\V: a9746c942c665567a9285df17f325506.exe File opened (read-only) \??\X: a9746c942c665567a9285df17f325506.exe File opened (read-only) \??\B: a9746c942c665567a9285df17f325506.exe File opened (read-only) \??\E: a9746c942c665567a9285df17f325506.exe File opened (read-only) \??\L: a9746c942c665567a9285df17f325506.exe File opened (read-only) \??\N: a9746c942c665567a9285df17f325506.exe File opened (read-only) \??\O: a9746c942c665567a9285df17f325506.exe File opened (read-only) \??\P: a9746c942c665567a9285df17f325506.exe File opened (read-only) \??\Z: a9746c942c665567a9285df17f325506.exe File opened (read-only) \??\A: a9746c942c665567a9285df17f325506.exe File opened (read-only) \??\H: a9746c942c665567a9285df17f325506.exe File opened (read-only) \??\M: a9746c942c665567a9285df17f325506.exe File opened (read-only) \??\S: a9746c942c665567a9285df17f325506.exe File opened (read-only) \??\U: a9746c942c665567a9285df17f325506.exe File opened (read-only) \??\W: a9746c942c665567a9285df17f325506.exe File opened (read-only) \??\I: a9746c942c665567a9285df17f325506.exe File opened (read-only) \??\J: a9746c942c665567a9285df17f325506.exe File opened (read-only) \??\Q: a9746c942c665567a9285df17f325506.exe File opened (read-only) \??\R: a9746c942c665567a9285df17f325506.exe File opened (read-only) \??\Y: a9746c942c665567a9285df17f325506.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a9746c942c665567a9285df17f325506.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a9746c942c665567a9285df17f325506.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier a9746c942c665567a9285df17f325506.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2188 a9746c942c665567a9285df17f325506.exe 2188 a9746c942c665567a9285df17f325506.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2660 2188 a9746c942c665567a9285df17f325506.exe 28 PID 2188 wrote to memory of 2660 2188 a9746c942c665567a9285df17f325506.exe 28 PID 2188 wrote to memory of 2660 2188 a9746c942c665567a9285df17f325506.exe 28 PID 2188 wrote to memory of 2660 2188 a9746c942c665567a9285df17f325506.exe 28 PID 2188 wrote to memory of 1208 2188 a9746c942c665567a9285df17f325506.exe 30 PID 2188 wrote to memory of 1208 2188 a9746c942c665567a9285df17f325506.exe 30 PID 2188 wrote to memory of 1208 2188 a9746c942c665567a9285df17f325506.exe 30 PID 2188 wrote to memory of 1208 2188 a9746c942c665567a9285df17f325506.exe 30 PID 2188 wrote to memory of 2576 2188 a9746c942c665567a9285df17f325506.exe 32 PID 2188 wrote to memory of 2576 2188 a9746c942c665567a9285df17f325506.exe 32 PID 2188 wrote to memory of 2576 2188 a9746c942c665567a9285df17f325506.exe 32 PID 2188 wrote to memory of 2576 2188 a9746c942c665567a9285df17f325506.exe 32 PID 2188 wrote to memory of 2428 2188 a9746c942c665567a9285df17f325506.exe 34 PID 2188 wrote to memory of 2428 2188 a9746c942c665567a9285df17f325506.exe 34 PID 2188 wrote to memory of 2428 2188 a9746c942c665567a9285df17f325506.exe 34 PID 2188 wrote to memory of 2428 2188 a9746c942c665567a9285df17f325506.exe 34 PID 2188 wrote to memory of 2912 2188 a9746c942c665567a9285df17f325506.exe 36 PID 2188 wrote to memory of 2912 2188 a9746c942c665567a9285df17f325506.exe 36 PID 2188 wrote to memory of 2912 2188 a9746c942c665567a9285df17f325506.exe 36 PID 2188 wrote to memory of 2912 2188 a9746c942c665567a9285df17f325506.exe 36 PID 2188 wrote to memory of 2784 2188 a9746c942c665567a9285df17f325506.exe 40 PID 2188 wrote to memory of 2784 2188 a9746c942c665567a9285df17f325506.exe 40 PID 2188 wrote to memory of 2784 2188 a9746c942c665567a9285df17f325506.exe 40 PID 2188 wrote to memory of 2784 2188 a9746c942c665567a9285df17f325506.exe 40 PID 2188 wrote to memory of 592 2188 a9746c942c665567a9285df17f325506.exe 42 PID 2188 wrote to memory of 592 2188 a9746c942c665567a9285df17f325506.exe 42 PID 2188 wrote to memory of 592 2188 a9746c942c665567a9285df17f325506.exe 42 PID 2188 wrote to memory of 592 2188 a9746c942c665567a9285df17f325506.exe 42 PID 2188 wrote to memory of 1136 2188 a9746c942c665567a9285df17f325506.exe 44 PID 2188 wrote to memory of 1136 2188 a9746c942c665567a9285df17f325506.exe 44 PID 2188 wrote to memory of 1136 2188 a9746c942c665567a9285df17f325506.exe 44 PID 2188 wrote to memory of 1136 2188 a9746c942c665567a9285df17f325506.exe 44 PID 2188 wrote to memory of 1532 2188 a9746c942c665567a9285df17f325506.exe 46 PID 2188 wrote to memory of 1532 2188 a9746c942c665567a9285df17f325506.exe 46 PID 2188 wrote to memory of 1532 2188 a9746c942c665567a9285df17f325506.exe 46 PID 2188 wrote to memory of 1532 2188 a9746c942c665567a9285df17f325506.exe 46 PID 2188 wrote to memory of 936 2188 a9746c942c665567a9285df17f325506.exe 48 PID 2188 wrote to memory of 936 2188 a9746c942c665567a9285df17f325506.exe 48 PID 2188 wrote to memory of 936 2188 a9746c942c665567a9285df17f325506.exe 48 PID 2188 wrote to memory of 936 2188 a9746c942c665567a9285df17f325506.exe 48 PID 2188 wrote to memory of 1676 2188 a9746c942c665567a9285df17f325506.exe 50 PID 2188 wrote to memory of 1676 2188 a9746c942c665567a9285df17f325506.exe 50 PID 2188 wrote to memory of 1676 2188 a9746c942c665567a9285df17f325506.exe 50 PID 2188 wrote to memory of 1676 2188 a9746c942c665567a9285df17f325506.exe 50 PID 2188 wrote to memory of 2396 2188 a9746c942c665567a9285df17f325506.exe 52 PID 2188 wrote to memory of 2396 2188 a9746c942c665567a9285df17f325506.exe 52 PID 2188 wrote to memory of 2396 2188 a9746c942c665567a9285df17f325506.exe 52 PID 2188 wrote to memory of 2396 2188 a9746c942c665567a9285df17f325506.exe 52 PID 2188 wrote to memory of 1316 2188 a9746c942c665567a9285df17f325506.exe 54 PID 2188 wrote to memory of 1316 2188 a9746c942c665567a9285df17f325506.exe 54 PID 2188 wrote to memory of 1316 2188 a9746c942c665567a9285df17f325506.exe 54 PID 2188 wrote to memory of 1316 2188 a9746c942c665567a9285df17f325506.exe 54 PID 2188 wrote to memory of 1764 2188 a9746c942c665567a9285df17f325506.exe 56 PID 2188 wrote to memory of 1764 2188 a9746c942c665567a9285df17f325506.exe 56 PID 2188 wrote to memory of 1764 2188 a9746c942c665567a9285df17f325506.exe 56 PID 2188 wrote to memory of 1764 2188 a9746c942c665567a9285df17f325506.exe 56 PID 2188 wrote to memory of 1508 2188 a9746c942c665567a9285df17f325506.exe 58 PID 2188 wrote to memory of 1508 2188 a9746c942c665567a9285df17f325506.exe 58 PID 2188 wrote to memory of 1508 2188 a9746c942c665567a9285df17f325506.exe 58 PID 2188 wrote to memory of 1508 2188 a9746c942c665567a9285df17f325506.exe 58 PID 2188 wrote to memory of 1880 2188 a9746c942c665567a9285df17f325506.exe 60 PID 2188 wrote to memory of 1880 2188 a9746c942c665567a9285df17f325506.exe 60 PID 2188 wrote to memory of 1880 2188 a9746c942c665567a9285df17f325506.exe 60 PID 2188 wrote to memory of 1880 2188 a9746c942c665567a9285df17f325506.exe 60
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9746c942c665567a9285df17f325506.exe"C:\Users\Admin\AppData\Local\Temp\a9746c942c665567a9285df17f325506.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2660
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1208
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:2576
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:2428
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2912
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2784
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:592
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1136
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1532
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:936
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1676
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:2396
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1316
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1764
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1508
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1880
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2092
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:836
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1724
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1016
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1700
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:944
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:2236
-