e3bdff89891e09edd7c3b63b0968ea385816304a95f2fbc0efdece6bb69ecb01

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2024 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
Size

73KB
MD5

faf5287324853a26ce3912ec2ba73115
SHA1

14fe0f571ccf1e5ffb07f3841ab002379c73558e
SHA256

e3bdff89891e09edd7c3b63b0968ea385816304a95f2fbc0efdece6bb69ecb01
SHA512

844f10789df83fa1c1cd8084e0d807688be6b9d81ab776ec8dfdd41d348067aa01b18756ddbd392c08f12fb5bbb0f1050951c26be21bd89f18b91233a98905c8
SSDEEP

1536:R555555555555pmgSeGDjtQhnwmmB0yJMqqU+2bbbAV2/S2mr3IdE8mne0Avu5ry:eMSjOnrmBxMqqDL2/mr3IdE8we0Avu5h

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\haimnswscou = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe"	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
File opened (read-only)	\??\R:	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
File opened (read-only)	\??\S:	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
File opened (read-only)	\??\T:	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
File opened (read-only)	\??\V:	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
File opened (read-only)	\??\X:	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
File opened (read-only)	\??\Y:	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
File opened (read-only)	\??\G:	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
File opened (read-only)	\??\Z:	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
File opened (read-only)	\??\M:	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
File opened (read-only)	\??\N:	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
File opened (read-only)	\??\O:	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
File opened (read-only)	\??\U:	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
File opened (read-only)	\??\E:	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
File opened (read-only)	\??\H:	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
File opened (read-only)	\??\J:	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
File opened (read-only)	\??\K:	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
File opened (read-only)	\??\P:	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
File opened (read-only)	\??\W:	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
File opened (read-only)	\??\B:	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
File opened (read-only)	\??\L:	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
File opened (read-only)	\??\Q:	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
File opened (read-only)	\??\A:	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 1380	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	89
PID 1496 wrote to memory of 1380	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	89
PID 1496 wrote to memory of 1380	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	89
PID 1496 wrote to memory of 2280	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	98
PID 1496 wrote to memory of 2280	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	98
PID 1496 wrote to memory of 2280	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	98
PID 1496 wrote to memory of 4712	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	100
PID 1496 wrote to memory of 4712	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	100
PID 1496 wrote to memory of 4712	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	100
PID 1496 wrote to memory of 3512	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	103
PID 1496 wrote to memory of 3512	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	103
PID 1496 wrote to memory of 3512	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	103
PID 1496 wrote to memory of 3104	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	105
PID 1496 wrote to memory of 3104	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	105
PID 1496 wrote to memory of 3104	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	105
PID 1496 wrote to memory of 4236	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	107
PID 1496 wrote to memory of 4236	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	107
PID 1496 wrote to memory of 4236	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	107
PID 1496 wrote to memory of 4268	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	109
PID 1496 wrote to memory of 4268	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	109
PID 1496 wrote to memory of 4268	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	109
PID 1496 wrote to memory of 1776	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	111
PID 1496 wrote to memory of 1776	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	111
PID 1496 wrote to memory of 1776	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	111
PID 1496 wrote to memory of 4336	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	113
PID 1496 wrote to memory of 4336	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	113
PID 1496 wrote to memory of 4336	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	113
PID 1496 wrote to memory of 3364	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	115
PID 1496 wrote to memory of 3364	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	115
PID 1496 wrote to memory of 3364	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	115
PID 1496 wrote to memory of 3840	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	117
PID 1496 wrote to memory of 3840	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	117
PID 1496 wrote to memory of 3840	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	117
PID 1496 wrote to memory of 1952	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	119
PID 1496 wrote to memory of 1952	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	119
PID 1496 wrote to memory of 1952	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	119
PID 1496 wrote to memory of 5080	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	121
PID 1496 wrote to memory of 5080	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	121
PID 1496 wrote to memory of 5080	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	121
PID 1496 wrote to memory of 680	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	123
PID 1496 wrote to memory of 680	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	123
PID 1496 wrote to memory of 680	1496	2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe	123

C:\Users\Admin\AppData\Local\Temp\2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-04_faf5287324853a26ce3912ec2ba73115_gandcrab.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:1380
- C:\Windows\SysWOW64\nslookup.exe
  nslookup emsisoft.bit dns1.soprodns.ru
  2⤵
  PID:2280
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:4712
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:3512
- C:\Windows\SysWOW64\nslookup.exe
  nslookup emsisoft.bit dns1.soprodns.ru
  2⤵
  PID:3104
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:4236
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:4268
- C:\Windows\SysWOW64\nslookup.exe
  nslookup emsisoft.bit dns1.soprodns.ru
  2⤵
  PID:1776
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:4336
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:3364
- C:\Windows\SysWOW64\nslookup.exe
  nslookup emsisoft.bit dns1.soprodns.ru
  2⤵
  PID:3840
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:1952
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:5080
- C:\Windows\SysWOW64\nslookup.exe
  nslookup emsisoft.bit dns1.soprodns.ru
  2⤵
  PID:680