Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
10/04/2024, 19:16
Behavioral task
behavioral1
Sample
1d2725e005ff437ed228626d81477212840fd841a25bdeea21e0a533e9704d41.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1d2725e005ff437ed228626d81477212840fd841a25bdeea21e0a533e9704d41.exe
Resource
win10v2004-20240319-en
General
-
Target
1d2725e005ff437ed228626d81477212840fd841a25bdeea21e0a533e9704d41.exe
-
Size
400KB
-
MD5
36d853f24b792a3f001764aca709ffbf
-
SHA1
f59b2a48e08a471a866d4f7b419da04197436b73
-
SHA256
1d2725e005ff437ed228626d81477212840fd841a25bdeea21e0a533e9704d41
-
SHA512
03d82cd684eebb96537d9acb8e1cef368fb8b54e6af98f39f2745771cdf6f76e33dae1b96759f9adf28f455e0fe9281202c56e350000cb3141c16798f51b593f
-
SSDEEP
3072:uDxELd9sXbq+FziQ5foIY8RdMyFqhVw09wF3AbuXijGVB60Enddmzwh2HNw7XR:axELvswQloIY2vcVT9IwciKHEDmzKy+
Malware Config
Signatures
-
GandCrab payload 3 IoCs
resource yara_rule behavioral2/memory/4000-2-0x0000000000400000-0x0000000000464000-memory.dmp family_gandcrab behavioral2/memory/4000-4-0x00000000006E0000-0x00000000006F6000-memory.dmp family_gandcrab behavioral2/memory/4000-7-0x0000000000400000-0x0000000000464000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Detects Reflective DLL injection artifacts 3 IoCs
resource yara_rule behavioral2/memory/4000-2-0x0000000000400000-0x0000000000464000-memory.dmp INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral2/memory/4000-4-0x00000000006E0000-0x00000000006F6000-memory.dmp INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral2/memory/4000-7-0x0000000000400000-0x0000000000464000-memory.dmp INDICATOR_SUSPICIOUS_ReflectiveLoader -
Detects ransomware indicator 3 IoCs
resource yara_rule behavioral2/memory/4000-2-0x0000000000400000-0x0000000000464000-memory.dmp SUSP_RANSOMWARE_Indicator_Jul20 behavioral2/memory/4000-4-0x00000000006E0000-0x00000000006F6000-memory.dmp SUSP_RANSOMWARE_Indicator_Jul20 behavioral2/memory/4000-7-0x0000000000400000-0x0000000000464000-memory.dmp SUSP_RANSOMWARE_Indicator_Jul20 -
Gandcrab Payload 3 IoCs
resource yara_rule behavioral2/memory/4000-2-0x0000000000400000-0x0000000000464000-memory.dmp Gandcrab behavioral2/memory/4000-4-0x00000000006E0000-0x00000000006F6000-memory.dmp Gandcrab behavioral2/memory/4000-7-0x0000000000400000-0x0000000000464000-memory.dmp Gandcrab -
UPX dump on OEP (original entry point) 3 IoCs
resource yara_rule behavioral2/memory/4000-0-0x0000000000400000-0x0000000000464000-memory.dmp UPX behavioral2/memory/4000-2-0x0000000000400000-0x0000000000464000-memory.dmp UPX behavioral2/memory/4000-7-0x0000000000400000-0x0000000000464000-memory.dmp UPX -
resource yara_rule behavioral2/memory/4000-0-0x0000000000400000-0x0000000000464000-memory.dmp upx -
Program crash 1 IoCs
pid pid_target Process procid_target 3792 4000 WerFault.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d2725e005ff437ed228626d81477212840fd841a25bdeea21e0a533e9704d41.exe"C:\Users\Admin\AppData\Local\Temp\1d2725e005ff437ed228626d81477212840fd841a25bdeea21e0a533e9704d41.exe"1⤵PID:4000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 3442⤵
- Program crash
PID:3792
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4000 -ip 40001⤵PID:2044
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2284,i,13100272738549420251,6151825632958897606,262144 --variations-seed-version /prefetch:81⤵PID:3452