Malware Analysis Report

2024-09-23 05:22

Sample ID 240531-x5r5xabc26
Target 2024-05-31_aab27cc3367636dce042a79b59b7c4e5_bkransomware_gandcrab_karagany
SHA256 d966c96c7ad64cee64648b6dfacb794431acd180c4c20376d86ce22109982ad4
Tags
gandcrab
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d966c96c7ad64cee64648b6dfacb794431acd180c4c20376d86ce22109982ad4

Threat Level: Known bad

The file 2024-05-31_aab27cc3367636dce042a79b59b7c4e5_bkransomware_gandcrab_karagany was found to be: Known bad.

Malicious Activity Summary

gandcrab

Detects Reflective DLL injection artifacts

Detects ransomware indicator

GandCrab payload

Gandcrab Payload

Gandcrab family

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-31 19:26

Signatures

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

Detects ransomware indicator

Description Indicator Process Target
N/A N/A N/A N/A

GandCrab payload

Description Indicator Process Target
N/A N/A N/A N/A

Gandcrab Payload

Description Indicator Process Target
N/A N/A N/A N/A

Gandcrab family

gandcrab

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 19:26

Reported

2024-05-31 19:29

Platform

win7-20240220-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-31_aab27cc3367636dce042a79b59b7c4e5_bkransomware_gandcrab_karagany.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-31_aab27cc3367636dce042a79b59b7c4e5_bkransomware_gandcrab_karagany.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-31_aab27cc3367636dce042a79b59b7c4e5_bkransomware_gandcrab_karagany.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 88

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 19:26

Reported

2024-05-31 19:29

Platform

win10v2004-20240226-en

Max time kernel

136s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-31_aab27cc3367636dce042a79b59b7c4e5_bkransomware_gandcrab_karagany.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-31_aab27cc3367636dce042a79b59b7c4e5_bkransomware_gandcrab_karagany.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-31_aab27cc3367636dce042a79b59b7c4e5_bkransomware_gandcrab_karagany.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 1504 -ip 1504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

N/A