Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 19:35
Behavioral task
behavioral1
Sample
2024-05-31_cf9dac8a0daf7b2ac51b006d0c0fcc00_bkransomware_gandcrab_karagany.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-31_cf9dac8a0daf7b2ac51b006d0c0fcc00_bkransomware_gandcrab_karagany.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-31_cf9dac8a0daf7b2ac51b006d0c0fcc00_bkransomware_gandcrab_karagany.exe
-
Size
155KB
-
MD5
cf9dac8a0daf7b2ac51b006d0c0fcc00
-
SHA1
f3cd556ee4545b2f7b4ef254c2652abb227a8587
-
SHA256
bcd0fa724bb0e8e7536fe197e363fe5d0dc3c99419e61b1e84a53b377648d137
-
SHA512
4c0ddd5e0accb6c014b5079a1df5c5a211095d4cb3483fe60f62534b5ae2f0b6bf43ddcb26580f7905b9b60eb7d086e69c89f120da865991c04f5dc4ce87afa1
-
SSDEEP
3072:l5K/B0toLQSNJzlZHQsozTS+SMqqDL2/TrKfmG:lcytwtp1yTS+xqqDL6HKP
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1956 1964 WerFault.exe 2024-05-31_cf9dac8a0daf7b2ac51b006d0c0fcc00_bkransomware_gandcrab_karagany.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-05-31_cf9dac8a0daf7b2ac51b006d0c0fcc00_bkransomware_gandcrab_karagany.exedescription pid process target process PID 1964 wrote to memory of 1956 1964 2024-05-31_cf9dac8a0daf7b2ac51b006d0c0fcc00_bkransomware_gandcrab_karagany.exe WerFault.exe PID 1964 wrote to memory of 1956 1964 2024-05-31_cf9dac8a0daf7b2ac51b006d0c0fcc00_bkransomware_gandcrab_karagany.exe WerFault.exe PID 1964 wrote to memory of 1956 1964 2024-05-31_cf9dac8a0daf7b2ac51b006d0c0fcc00_bkransomware_gandcrab_karagany.exe WerFault.exe PID 1964 wrote to memory of 1956 1964 2024-05-31_cf9dac8a0daf7b2ac51b006d0c0fcc00_bkransomware_gandcrab_karagany.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-31_cf9dac8a0daf7b2ac51b006d0c0fcc00_bkransomware_gandcrab_karagany.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-31_cf9dac8a0daf7b2ac51b006d0c0fcc00_bkransomware_gandcrab_karagany.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 882⤵
- Program crash