gandcrab | ea105dae9196b2abb2d63df2c9a44b65c101737be0be3e2e2ce1da0a0eab8ee4

General

Target

2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
Size

316KB
MD5

14227f64edcb3b5c7cb8f85332521778
SHA1

19a79540190d8287ba58c6d539e0d5c87875deea
SHA256

ea105dae9196b2abb2d63df2c9a44b65c101737be0be3e2e2ce1da0a0eab8ee4
SHA512

bf15cd4bd58a86d44c556666a3073b8a6c86d87b6488957eb9c9f8515d1294a674d4466723f40d34d76cc34ea1919fc0a56d811be9d3af174f849ffada64be26
SSDEEP

6144:rv+3NMO1UnseVgkV0xwvfxnhLTiusLe1740Y:adM0Unsna5mut40Y

Score

10^/10

gandcrab backdoor ransomware

Malware Config

Signatures

GandCrab payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4408-2-0x0000000000400000-0x0000000003B9F000-memory.dmp	family_gandcrab
behavioral2/memory/4408-3-0x00000000059B0000-0x00000000059C7000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab

Detects Reflective DLL injection artifacts 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4408-2-0x0000000000400000-0x0000000003B9F000-memory.dmp	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/memory/4408-3-0x00000000059B0000-0x00000000059C7000-memory.dmp	INDICATOR_SUSPICIOUS_ReflectiveLoader

Detects ransomware indicator 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4408-3-0x00000000059B0000-0x00000000059C7000-memory.dmp	SUSP_RANSOMWARE_Indicator_Jul20

Gandcrab Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4408-2-0x0000000000400000-0x0000000003B9F000-memory.dmp	Gandcrab
behavioral2/memory/4408-3-0x00000000059B0000-0x00000000059C7000-memory.dmp	Gandcrab

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4628 4408 WerFault.exe 2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe

pid	pid_target	process	target process
4628	4408	WerFault.exe	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe

Suspicious use of SetWindowsHookAW 64 IoCs

Processes:

2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe

pid	process
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
4408	2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_14227f64edcb3b5c7cb8f85332521778_mafia.exe"
1⤵
- Suspicious use of SetWindowsHookAW
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 480
2⤵
- Program crash
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4408 -ip 4408
1⤵
PID:984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3828 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:3552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4408-0-0x0000000000400000-0x0000000003B9F000-memory.dmp

Filesize
55.6MB

Download
memory/4408-1-0x00000000058F0000-0x000000000590B000-memory.dmp

Filesize
108KB

Download
memory/4408-2-0x0000000000400000-0x0000000003B9F000-memory.dmp

Filesize
55.6MB

Download
memory/4408-3-0x00000000059B0000-0x00000000059C7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads