Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
29-03-2024 04:06
Static task
static1
Behavioral task
behavioral1
Sample
de01194f21a3b9d49641192796569ae8.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
de01194f21a3b9d49641192796569ae8.exe
Resource
win10v2004-20240226-en
General
-
Target
de01194f21a3b9d49641192796569ae8.exe
-
Size
308KB
-
MD5
de01194f21a3b9d49641192796569ae8
-
SHA1
3bfb8f956d07b95db06ca1d1fe616ed17aa9c7a0
-
SHA256
cd217cecbca13cf643760c825666eb808fa0fcf1fe68f3395d5b5116e7ae58b1
-
SHA512
eb878141f947c48d7c73585061007591ed6c917f6a16efb7247d6164ce119a3bd47afe8c0c5509cf4a6ecb3f6676d942f94334a582301edd06b857e650ea3a60
-
SSDEEP
6144:izL7ShWDLVzVNam6GxI29dqG3KdYAYqTuPZp:oDHNam62ZdKmZmuPH
Malware Config
Signatures
-
GandCrab payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2168-2-0x0000000000400000-0x0000000001400000-memory.dmp family_gandcrab behavioral1/memory/2168-3-0x0000000000260000-0x0000000000277000-memory.dmp family_gandcrab behavioral1/memory/2168-10-0x0000000000400000-0x0000000001400000-memory.dmp family_gandcrab behavioral1/memory/2168-13-0x0000000000260000-0x0000000000277000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
de01194f21a3b9d49641192796569ae8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jlevertenhk = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\mecwag.exe\"" de01194f21a3b9d49641192796569ae8.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
de01194f21a3b9d49641192796569ae8.exedescription ioc process File opened (read-only) \??\A: de01194f21a3b9d49641192796569ae8.exe File opened (read-only) \??\H: de01194f21a3b9d49641192796569ae8.exe File opened (read-only) \??\I: de01194f21a3b9d49641192796569ae8.exe File opened (read-only) \??\J: de01194f21a3b9d49641192796569ae8.exe File opened (read-only) \??\P: de01194f21a3b9d49641192796569ae8.exe File opened (read-only) \??\S: de01194f21a3b9d49641192796569ae8.exe File opened (read-only) \??\Z: de01194f21a3b9d49641192796569ae8.exe File opened (read-only) \??\M: de01194f21a3b9d49641192796569ae8.exe File opened (read-only) \??\N: de01194f21a3b9d49641192796569ae8.exe File opened (read-only) \??\R: de01194f21a3b9d49641192796569ae8.exe File opened (read-only) \??\V: de01194f21a3b9d49641192796569ae8.exe File opened (read-only) \??\X: de01194f21a3b9d49641192796569ae8.exe File opened (read-only) \??\E: de01194f21a3b9d49641192796569ae8.exe File opened (read-only) \??\K: de01194f21a3b9d49641192796569ae8.exe File opened (read-only) \??\L: de01194f21a3b9d49641192796569ae8.exe File opened (read-only) \??\T: de01194f21a3b9d49641192796569ae8.exe File opened (read-only) \??\B: de01194f21a3b9d49641192796569ae8.exe File opened (read-only) \??\G: de01194f21a3b9d49641192796569ae8.exe File opened (read-only) \??\O: de01194f21a3b9d49641192796569ae8.exe File opened (read-only) \??\Q: de01194f21a3b9d49641192796569ae8.exe File opened (read-only) \??\U: de01194f21a3b9d49641192796569ae8.exe File opened (read-only) \??\W: de01194f21a3b9d49641192796569ae8.exe File opened (read-only) \??\Y: de01194f21a3b9d49641192796569ae8.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
de01194f21a3b9d49641192796569ae8.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString de01194f21a3b9d49641192796569ae8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier de01194f21a3b9d49641192796569ae8.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 de01194f21a3b9d49641192796569ae8.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
de01194f21a3b9d49641192796569ae8.exepid process 2168 de01194f21a3b9d49641192796569ae8.exe 2168 de01194f21a3b9d49641192796569ae8.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
de01194f21a3b9d49641192796569ae8.exedescription pid process target process PID 2168 wrote to memory of 2948 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2948 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2948 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2948 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2512 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2512 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2512 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2512 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2816 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2816 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2816 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2816 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2592 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2592 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2592 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2592 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2500 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2500 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2500 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2500 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2380 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2380 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2380 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2380 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2408 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2408 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2408 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2408 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 1080 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 1080 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 1080 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 1080 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 740 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 740 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 740 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 740 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 1072 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 1072 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 1072 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 1072 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2452 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2452 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2452 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2452 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 1584 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 1584 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 1584 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 1584 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 1628 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 1628 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 1628 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 1628 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2744 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2744 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2744 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2744 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 564 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 564 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 564 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 564 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2068 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2068 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2068 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe PID 2168 wrote to memory of 2068 2168 de01194f21a3b9d49641192796569ae8.exe nslookup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\de01194f21a3b9d49641192796569ae8.exe"C:\Users\Admin\AppData\Local\Temp\de01194f21a3b9d49641192796569ae8.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2168-1-0x0000000000290000-0x0000000000390000-memory.dmpFilesize
1024KB
-
memory/2168-2-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/2168-3-0x0000000000260000-0x0000000000277000-memory.dmpFilesize
92KB
-
memory/2168-10-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/2168-12-0x0000000000290000-0x0000000000390000-memory.dmpFilesize
1024KB
-
memory/2168-13-0x0000000000260000-0x0000000000277000-memory.dmpFilesize
92KB