Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 22:58
Behavioral task
behavioral1
Sample
2024-05-25_930ddcd2d6c10ea7a3a7736343701584_bkransomware_gandcrab_karagany.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-05-25_930ddcd2d6c10ea7a3a7736343701584_bkransomware_gandcrab_karagany.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-25_930ddcd2d6c10ea7a3a7736343701584_bkransomware_gandcrab_karagany.exe
-
Size
155KB
-
MD5
930ddcd2d6c10ea7a3a7736343701584
-
SHA1
77cbea55c112b436f2140d3611d4bc5880cc386c
-
SHA256
32ebbcad1e997db22c0c623dca15617b7ec7f319a713ac1d28c7a71e0b18d8c7
-
SHA512
7946a967c6818eb68214c2412efbde4c7dde940c91259191d61581fc136d0b6b69c5cfc25fa1613df043422469a27bc85ce7533a0e1c30dcf7c507e8259715d8
-
SSDEEP
3072:l5K/B0toLxSNJOlZHQsozTS+SMqqDL2/TrKYbG:lcytwsS1yTS+xqqDL6HKd
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2420 1724 WerFault.exe 2024-05-25_930ddcd2d6c10ea7a3a7736343701584_bkransomware_gandcrab_karagany.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-05-25_930ddcd2d6c10ea7a3a7736343701584_bkransomware_gandcrab_karagany.exedescription pid process target process PID 1724 wrote to memory of 2420 1724 2024-05-25_930ddcd2d6c10ea7a3a7736343701584_bkransomware_gandcrab_karagany.exe WerFault.exe PID 1724 wrote to memory of 2420 1724 2024-05-25_930ddcd2d6c10ea7a3a7736343701584_bkransomware_gandcrab_karagany.exe WerFault.exe PID 1724 wrote to memory of 2420 1724 2024-05-25_930ddcd2d6c10ea7a3a7736343701584_bkransomware_gandcrab_karagany.exe WerFault.exe PID 1724 wrote to memory of 2420 1724 2024-05-25_930ddcd2d6c10ea7a3a7736343701584_bkransomware_gandcrab_karagany.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-25_930ddcd2d6c10ea7a3a7736343701584_bkransomware_gandcrab_karagany.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-25_930ddcd2d6c10ea7a3a7736343701584_bkransomware_gandcrab_karagany.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 882⤵
- Program crash
PID:2420