gandcrab | 684e839937beae1a63ed092320ad26533c23341289e3ca1dcf18b1cd6fabfdcd

Analysis

max time kernel
91s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 17:26

Target

2024-04-28_5eb1b9604acac403d47a6dec07905d90_karagany_mafia.exe
Size

326KB
MD5

5eb1b9604acac403d47a6dec07905d90
SHA1

f9f34b64b90fd3491262d4521c4105e21b8d015c
SHA256

684e839937beae1a63ed092320ad26533c23341289e3ca1dcf18b1cd6fabfdcd
SHA512

b88f9bacdd34c6c3f3f6ffb5c085d8a70fcd09624d0ecdce0a4509f9484f3202ebdcff39364d0402c4204def7c50e5dc192d9b406dcab04f5b84c391cad0ef57
SSDEEP

3072:m+V2GtCb0nDlGTM87yRBNWwxnImfoP/KOBejjY6IaCDtm0zT5363kQ8JuO:mB/moTXkLHgPitjYVmq+K

Score

10^/10

GandCrab payload 2 IoCs

resource	yara_rule
behavioral2/memory/4604-5-0x0000000001390000-0x00000000013A7000-memory.dmp	family_gandcrab
behavioral2/memory/4604-6-0x0000000000400000-0x00000000012D6000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab

Detects Reflective DLL injection artifacts 2 IoCs

resource	yara_rule
behavioral2/memory/4604-5-0x0000000001390000-0x00000000013A7000-memory.dmp	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/memory/4604-6-0x0000000000400000-0x00000000012D6000-memory.dmp	INDICATOR_SUSPICIOUS_ReflectiveLoader

Detects ransomware indicator 1 IoCs

resource	yara_rule
behavioral2/memory/4604-5-0x0000000001390000-0x00000000013A7000-memory.dmp	SUSP_RANSOMWARE_Indicator_Jul20

Gandcrab Payload 2 IoCs

resource	yara_rule
behavioral2/memory/4604-5-0x0000000001390000-0x00000000013A7000-memory.dmp	Gandcrab
behavioral2/memory/4604-6-0x0000000000400000-0x00000000012D6000-memory.dmp	Gandcrab

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4420	4604	WerFault.exe	81

C:\Users\Admin\AppData\Local\Temp\2024-04-28_5eb1b9604acac403d47a6dec07905d90_karagany_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_5eb1b9604acac403d47a6dec07905d90_karagany_mafia.exe"
1⤵
PID:4604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 472
  2⤵
  - Program crash
  PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4604 -ip 4604
1⤵
PID:1420

memory/4604-1-0x0000000000400000-0x00000000012D6000-memory.dmp

Filesize
14.8MB

Download
memory/4604-2-0x00000000013C0000-0x00000000014C0000-memory.dmp

Filesize
1024KB

Download
memory/4604-3-0x0000000000400000-0x00000000012D6000-memory.dmp

Filesize
14.8MB

Download
memory/4604-5-0x0000000001390000-0x00000000013A7000-memory.dmp

Filesize
92KB

Download
memory/4604-6-0x0000000000400000-0x00000000012D6000-memory.dmp

Filesize
14.8MB

Download