Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 04:11
Static task
static1
Behavioral task
behavioral1
Sample
e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe
Resource
win10v2004-20240508-en
General
-
Target
e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe
-
Size
32KB
-
MD5
887fa36424d04164a242ffdc4756f0b4
-
SHA1
d09c3a60deb8a50daac4d960a08b319e72e5a319
-
SHA256
e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69
-
SHA512
2097c30f2e449d045471a4c50e95700d5aa5e9d20863201083b839b92271e5030bad53db2829f06f2d696f12f56c618c95de3189eb974870469ef5595f314cce
-
SSDEEP
768:6q27qnSLVl6IxWciTJsKqDjyP5/jIoV+wBbgZgZ2:6NqSBlTWci1sKwjyxjZVf8
Malware Config
Extracted
gandcrab
http://gdcbghvjyqy7jclk.onion.top/
Signatures
-
GandCrab payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1468-0-0x0000000000E90000-0x0000000000EA7000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Detects ransomware indicator 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1468-0-0x0000000000E90000-0x0000000000EA7000-memory.dmp SUSP_RANSOMWARE_Indicator_Jul20 -
Gandcrab Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1468-0-0x0000000000E90000-0x0000000000EA7000-memory.dmp Gandcrab -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhpsmvbavhu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe" e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exedescription ioc process File opened (read-only) \??\Q: e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe File opened (read-only) \??\Z: e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe File opened (read-only) \??\B: e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe File opened (read-only) \??\G: e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe File opened (read-only) \??\J: e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe File opened (read-only) \??\L: e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe File opened (read-only) \??\N: e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe File opened (read-only) \??\V: e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe File opened (read-only) \??\X: e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe File opened (read-only) \??\A: e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe File opened (read-only) \??\E: e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe File opened (read-only) \??\H: e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe File opened (read-only) \??\K: e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe File opened (read-only) \??\U: e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe File opened (read-only) \??\Y: e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe File opened (read-only) \??\M: e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe File opened (read-only) \??\O: e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe File opened (read-only) \??\R: e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe File opened (read-only) \??\S: e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe File opened (read-only) \??\T: e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe File opened (read-only) \??\I: e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe File opened (read-only) \??\P: e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe File opened (read-only) \??\W: e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exepid process 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exedescription pid process target process PID 1468 wrote to memory of 1100 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 1100 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 1100 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 3172 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 3172 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 3172 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 1936 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 1936 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 1936 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 4080 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 4080 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 4080 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 3240 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 3240 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 3240 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 4800 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 4800 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 4800 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 4812 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 4812 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 4812 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 2816 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 2816 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 2816 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 3208 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 3208 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 3208 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 4748 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 4748 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 4748 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 1968 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 1968 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 1968 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 3728 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 3728 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 3728 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 1840 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 1840 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 1840 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 3600 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 3600 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 3600 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 2372 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 2372 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe PID 1468 wrote to memory of 2372 1468 e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe nslookup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe"C:\Users\Admin\AppData\Local\Temp\e1e264506996ffa061f8af03c4f5d7aa643c2e2b82aeec2568f6b5baa3f12c69.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵