gandcrab | 40172737d7592a2b14b34b1d4425b229e3a4b0da7fadc715375ab2bba69bb247

Analysis

max time kernel
55s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 17:24

Target

2024-04-26_7cd2aa7dd72dfaf4f245edc226d7f7e0_karagany_mafia.exe
Size

308KB
MD5

7cd2aa7dd72dfaf4f245edc226d7f7e0
SHA1

9ff1cec6a9bc7d61b83794f74d0b5d0611578510
SHA256

40172737d7592a2b14b34b1d4425b229e3a4b0da7fadc715375ab2bba69bb247
SHA512

f429457dbda6c2c7d44d95afd678b11393b5283283f10bb7e7fdbe110157f7b06a2d4629c3823e273b09eeae5bc3dc9181a3ccbaf6ce13aae1df5282217ab535
SSDEEP

6144:hzL7ShWDLVzVNam6GxI29dqG3KdYAYqTuPZp:vDHNam62ZdKmZmuPH

Score

10^/10

GandCrab payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3212-2-0x000000000C5E0000-0x000000000C5F7000-memory.dmp	family_gandcrab
behavioral2/memory/3212-1-0x0000000000400000-0x0000000001400000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab

Detects Reflective DLL injection artifacts 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3212-2-0x000000000C5E0000-0x000000000C5F7000-memory.dmp	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/memory/3212-1-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_SUSPICIOUS_ReflectiveLoader

Detects ransomware indicator 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3212-2-0x000000000C5E0000-0x000000000C5F7000-memory.dmp	SUSP_RANSOMWARE_Indicator_Jul20

Gandcrab Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3212-2-0x000000000C5E0000-0x000000000C5F7000-memory.dmp	Gandcrab
behavioral2/memory/3212-1-0x0000000000400000-0x0000000001400000-memory.dmp	Gandcrab

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4324 3212 WerFault.exe 2024-04-26_7cd2aa7dd72dfaf4f245edc226d7f7e0_karagany_mafia.exe

pid	pid_target	process	target process
4324	3212	WerFault.exe	2024-04-26_7cd2aa7dd72dfaf4f245edc226d7f7e0_karagany_mafia.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-26_7cd2aa7dd72dfaf4f245edc226d7f7e0_karagany_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_7cd2aa7dd72dfaf4f245edc226d7f7e0_karagany_mafia.exe"
1⤵
PID:3212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 480
  2⤵
  - Program crash
  PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3212 -ip 3212
1⤵
PID:1316

memory/3212-2-0x000000000C5E0000-0x000000000C5F7000-memory.dmp

Filesize
92KB

Download
memory/3212-1-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download