Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
24/03/2024, 05:19
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe
-
Size
250KB
-
MD5
f36110e6adee9d68a0a567e3c16a1e46
-
SHA1
cbfe948c3dffaaf8b16de9263d039d5e87099a3a
-
SHA256
ef73aa177b5e78e43c001b8ea8f21e392ca23d49d6d203d81057a9d0b86de8b5
-
SHA512
9938788c4cfaa61aa1386755cd335d09ad665fbd3238a8d3182a479907655726bfabadbeef847ea320595cda2bee837fa20bac03d665102256ad72144374359d
-
SSDEEP
3072:Y/yK5d0Gj0+nY3uEBLvBNfdUR2/qFnB8o2+vU3WuvIBuj00nReaXkuSQ7cdOd3:Y/y20Gj0r+EBFrkvlU3RvIUDOIN
Malware Config
Signatures
-
GandCrab payload 39 IoCs
resource yara_rule behavioral1/memory/2492-4-0x0000000000400000-0x0000000000444000-memory.dmp family_gandcrab behavioral1/memory/2492-5-0x0000000000290000-0x00000000002A7000-memory.dmp family_gandcrab behavioral1/memory/2492-12-0x0000000000400000-0x0000000000444000-memory.dmp family_gandcrab behavioral1/memory/2492-17-0x0000000000290000-0x00000000002A7000-memory.dmp family_gandcrab behavioral1/memory/2396-20-0x0000000000400000-0x0000000000444000-memory.dmp family_gandcrab behavioral1/memory/2396-21-0x00000000003D0000-0x00000000003E7000-memory.dmp family_gandcrab behavioral1/memory/2396-24-0x0000000000400000-0x0000000000444000-memory.dmp family_gandcrab behavioral1/memory/1120-29-0x0000000000400000-0x0000000000444000-memory.dmp family_gandcrab behavioral1/memory/1120-30-0x0000000000220000-0x0000000000237000-memory.dmp family_gandcrab behavioral1/memory/1120-35-0x0000000000400000-0x0000000000444000-memory.dmp family_gandcrab behavioral1/memory/1640-38-0x0000000000400000-0x0000000000444000-memory.dmp family_gandcrab behavioral1/memory/1640-41-0x0000000000400000-0x0000000000444000-memory.dmp family_gandcrab behavioral1/memory/1088-52-0x0000000000400000-0x0000000000444000-memory.dmp family_gandcrab behavioral1/memory/1088-53-0x00000000002B0000-0x00000000002C7000-memory.dmp family_gandcrab behavioral1/memory/1088-61-0x0000000000400000-0x0000000000444000-memory.dmp family_gandcrab behavioral1/memory/732-62-0x0000000000400000-0x0000000000444000-memory.dmp family_gandcrab behavioral1/memory/308-65-0x0000000000400000-0x0000000000444000-memory.dmp family_gandcrab behavioral1/memory/308-66-0x00000000005E0000-0x00000000005F7000-memory.dmp family_gandcrab behavioral1/memory/732-75-0x0000000000400000-0x0000000000444000-memory.dmp family_gandcrab behavioral1/memory/308-77-0x0000000000400000-0x0000000000444000-memory.dmp family_gandcrab behavioral1/memory/2868-82-0x0000000000600000-0x0000000000700000-memory.dmp family_gandcrab behavioral1/memory/1500-84-0x0000000000890000-0x0000000000990000-memory.dmp family_gandcrab behavioral1/memory/2176-86-0x00000000005F0000-0x00000000006F0000-memory.dmp family_gandcrab behavioral1/memory/3052-88-0x00000000004C0000-0x00000000005C0000-memory.dmp family_gandcrab behavioral1/memory/2868-90-0x0000000000400000-0x0000000000444000-memory.dmp family_gandcrab behavioral1/memory/2868-95-0x0000000000400000-0x0000000000444000-memory.dmp family_gandcrab behavioral1/memory/2984-91-0x00000000004F0000-0x00000000005F0000-memory.dmp family_gandcrab behavioral1/memory/1500-96-0x0000000000400000-0x0000000000444000-memory.dmp family_gandcrab behavioral1/memory/2868-98-0x0000000000600000-0x0000000000700000-memory.dmp family_gandcrab behavioral1/memory/2176-100-0x0000000000400000-0x0000000000444000-memory.dmp family_gandcrab behavioral1/memory/2176-101-0x0000000001C80000-0x0000000001C97000-memory.dmp family_gandcrab behavioral1/memory/2176-104-0x0000000000400000-0x0000000000444000-memory.dmp family_gandcrab behavioral1/memory/3052-105-0x0000000000400000-0x0000000000444000-memory.dmp family_gandcrab behavioral1/memory/3052-106-0x00000000003E0000-0x00000000003F7000-memory.dmp family_gandcrab behavioral1/memory/2984-108-0x0000000000400000-0x0000000000444000-memory.dmp family_gandcrab behavioral1/memory/2984-109-0x00000000002D0000-0x00000000002E7000-memory.dmp family_gandcrab behavioral1/memory/1500-113-0x0000000000400000-0x0000000000444000-memory.dmp family_gandcrab behavioral1/memory/2984-115-0x0000000000400000-0x0000000000444000-memory.dmp family_gandcrab behavioral1/memory/3052-121-0x0000000000400000-0x0000000000444000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lydnncecayt = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\gpilhf.exe\"" 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe File opened (read-only) \??\I: 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe File opened (read-only) \??\M: 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe File opened (read-only) \??\O: 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe File opened (read-only) \??\W: 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe File opened (read-only) \??\H: 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe File opened (read-only) \??\J: 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe File opened (read-only) \??\Y: 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe File opened (read-only) \??\U: 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe File opened (read-only) \??\E: 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe File opened (read-only) \??\K: 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe File opened (read-only) \??\N: 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe File opened (read-only) \??\Q: 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe File opened (read-only) \??\R: 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe File opened (read-only) \??\T: 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe File opened (read-only) \??\V: 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe File opened (read-only) \??\X: 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe File opened (read-only) \??\B: 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe File opened (read-only) \??\G: 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe File opened (read-only) \??\L: 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe File opened (read-only) \??\P: 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe File opened (read-only) \??\S: 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe File opened (read-only) \??\Z: 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 36 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
pid Process 464 rundll32.exe 2252 rundll32.exe 1396 rundll32.exe 1468 rundll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2492 wrote to memory of 3064 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 28 PID 2492 wrote to memory of 3064 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 28 PID 2492 wrote to memory of 3064 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 28 PID 2492 wrote to memory of 3064 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 28 PID 2492 wrote to memory of 2724 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 30 PID 2492 wrote to memory of 2724 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 30 PID 2492 wrote to memory of 2724 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 30 PID 2492 wrote to memory of 2724 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 30 PID 2492 wrote to memory of 2456 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 34 PID 2492 wrote to memory of 2456 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 34 PID 2492 wrote to memory of 2456 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 34 PID 2492 wrote to memory of 2456 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 34 PID 2492 wrote to memory of 2124 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 36 PID 2492 wrote to memory of 2124 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 36 PID 2492 wrote to memory of 2124 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 36 PID 2492 wrote to memory of 2124 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 36 PID 2492 wrote to memory of 2016 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 43 PID 2492 wrote to memory of 2016 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 43 PID 2492 wrote to memory of 2016 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 43 PID 2492 wrote to memory of 2016 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 43 PID 2492 wrote to memory of 1612 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 55 PID 2492 wrote to memory of 1612 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 55 PID 2492 wrote to memory of 1612 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 55 PID 2492 wrote to memory of 1612 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 55 PID 2492 wrote to memory of 2920 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 61 PID 2492 wrote to memory of 2920 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 61 PID 2492 wrote to memory of 2920 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 61 PID 2492 wrote to memory of 2920 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 61 PID 2492 wrote to memory of 1840 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 63 PID 2492 wrote to memory of 1840 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 63 PID 2492 wrote to memory of 1840 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 63 PID 2492 wrote to memory of 1840 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 63 PID 2492 wrote to memory of 2296 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 65 PID 2492 wrote to memory of 2296 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 65 PID 2492 wrote to memory of 2296 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 65 PID 2492 wrote to memory of 2296 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 65 PID 2492 wrote to memory of 2080 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 67 PID 2492 wrote to memory of 2080 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 67 PID 2492 wrote to memory of 2080 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 67 PID 2492 wrote to memory of 2080 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 67 PID 2492 wrote to memory of 1968 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 69 PID 2492 wrote to memory of 1968 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 69 PID 2492 wrote to memory of 1968 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 69 PID 2492 wrote to memory of 1968 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 69 PID 2492 wrote to memory of 1644 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 71 PID 2492 wrote to memory of 1644 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 71 PID 2492 wrote to memory of 1644 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 71 PID 2492 wrote to memory of 1644 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 71 PID 2492 wrote to memory of 2552 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 73 PID 2492 wrote to memory of 2552 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 73 PID 2492 wrote to memory of 2552 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 73 PID 2492 wrote to memory of 2552 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 73 PID 2492 wrote to memory of 2732 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 75 PID 2492 wrote to memory of 2732 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 75 PID 2492 wrote to memory of 2732 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 75 PID 2492 wrote to memory of 2732 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 75 PID 2492 wrote to memory of 2548 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 77 PID 2492 wrote to memory of 2548 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 77 PID 2492 wrote to memory of 2548 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 77 PID 2492 wrote to memory of 2548 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 77 PID 2492 wrote to memory of 1280 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 79 PID 2492 wrote to memory of 1280 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 79 PID 2492 wrote to memory of 1280 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 79 PID 2492 wrote to memory of 1280 2492 2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:3064
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2724
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:2456
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:2124
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2016
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1612
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:2920
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1840
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2296
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2080
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1968
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1644
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2552
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2732
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:2548
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1280
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2468
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2680
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:2524
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:2648
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2612
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1124
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:2348
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe"1⤵
- Checks processor information in registry
PID:2396
-
C:\Users\Admin\AppData\Local\Temp\2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe"1⤵
- Checks processor information in registry
PID:1120
-
C:\Users\Admin\AppData\Local\Temp\2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe"1⤵
- Checks processor information in registry
PID:1640
-
C:\Users\Admin\AppData\Local\Temp\2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe"1⤵
- Checks processor information in registry
PID:1088
-
C:\Users\Admin\AppData\Local\Temp\2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe"1⤵
- Checks processor information in registry
PID:308
-
C:\Users\Admin\AppData\Local\Temp\2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe"1⤵
- Checks processor information in registry
PID:732
-
C:\Users\Admin\AppData\Local\Temp\2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe"1⤵
- Checks processor information in registry
PID:2868
-
C:\Users\Admin\AppData\Local\Temp\2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe"1⤵
- Checks processor information in registry
PID:1500
-
C:\Users\Admin\AppData\Local\Temp\2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe"1⤵
- Checks processor information in registry
PID:2176
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\4b967d69-07e7-4776-b314-55aeee164c9e.tmp1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2252
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\4b967d69-07e7-4776-b314-55aeee164c9e.tmp1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:464
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\4b967d69-07e7-4776-b314-55aeee164c9e.tmp1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1396
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\4b967d69-07e7-4776-b314-55aeee164c9e.tmp1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1468
-
C:\Users\Admin\AppData\Local\Temp\2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe"1⤵
- Checks processor information in registry
PID:3052
-
C:\Users\Admin\AppData\Local\Temp\2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-24_f36110e6adee9d68a0a567e3c16a1e46_karagany_mafia.exe"1⤵
- Checks processor information in registry
PID:2984