gandcrab | d8dfef3f46f339eae86ad4926f345a154cf73737d7e99855f2786e8b452b0384

Analysis

max time kernel
91s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 15:22

Target

2024-03-29_01102d78217f04e932f0f989a1cebe9c_karagany_mafia.exe
Size

250KB
MD5

01102d78217f04e932f0f989a1cebe9c
SHA1

04928c07d97424adf4179a7d3a0e46f4e297b356
SHA256

d8dfef3f46f339eae86ad4926f345a154cf73737d7e99855f2786e8b452b0384
SHA512

3fce5e71da6ab5a2fef3cfc142050a9345759e44ae70268946e2dfddcb8ad0e0aebecf1b8693cebbe020f2570c55a37cc812b8ce3d806a7764469d88c0e8e0c1
SSDEEP

6144:9+YrOIBjaklexBgiJ8sTSIkIpxIp8mDtfPBRwasxXq:9OCjaklYgVIpxIhDtR

Score

10^/10

GandCrab payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3180-3-0x0000000000400000-0x0000000000444000-memory.dmp	family_gandcrab
behavioral2/memory/3180-4-0x0000000000630000-0x0000000000647000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab

Detects Reflective DLL injection artifacts 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3180-3-0x0000000000400000-0x0000000000444000-memory.dmp	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/memory/3180-4-0x0000000000630000-0x0000000000647000-memory.dmp	INDICATOR_SUSPICIOUS_ReflectiveLoader

Detects ransomware indicator 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3180-3-0x0000000000400000-0x0000000000444000-memory.dmp	SUSP_RANSOMWARE_Indicator_Jul20
behavioral2/memory/3180-4-0x0000000000630000-0x0000000000647000-memory.dmp	SUSP_RANSOMWARE_Indicator_Jul20

Gandcrab Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3180-3-0x0000000000400000-0x0000000000444000-memory.dmp	Gandcrab
behavioral2/memory/3180-4-0x0000000000630000-0x0000000000647000-memory.dmp	Gandcrab

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4068 3180 WerFault.exe 2024-03-29_01102d78217f04e932f0f989a1cebe9c_karagany_mafia.exe

pid	pid_target	process	target process
4068	3180	WerFault.exe	2024-03-29_01102d78217f04e932f0f989a1cebe9c_karagany_mafia.exe

C:\Users\Admin\AppData\Local\Temp\2024-03-29_01102d78217f04e932f0f989a1cebe9c_karagany_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_01102d78217f04e932f0f989a1cebe9c_karagany_mafia.exe"
1⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 468
2⤵
- Program crash
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3180 -ip 3180
1⤵
PID:2080

memory/3180-0-0x00000000005F0000-0x000000000060B000-memory.dmp

Filesize
108KB

Download
memory/3180-1-0x00000000005F0000-0x000000000060B000-memory.dmp

Filesize
108KB

Download
memory/3180-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3180-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3180-4-0x0000000000630000-0x0000000000647000-memory.dmp

Filesize
92KB

Download