Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
03-11-2024 10:25
General
-
Target
2024-11-03_3e90c967f61a27940b1097af983f83de_gandcrab.exe
-
Size
72KB
-
MD5
3e90c967f61a27940b1097af983f83de
-
SHA1
043a615c8b3a22acd7c3b9a0be9d51319f7ad692
-
SHA256
d7efd62d04dc22298f2baad8b295897eaa6c21e84bda2debf8db294ca2ddae9e
-
SHA512
27a46b677a802f3b59bea78d2ba56da0d7d382f80c26e524ab093e9c6aedca69a4d75afa2238cc06e013dc19822896b60cc05c92aaada6ba9d4ec34cca806819
-
SSDEEP
1536:eZZZZZZZZZZZZpXzzzzzzzzzzzzV9rXounV98hbHnAwfMqqU+2bbbAV2/S2Lkvd6:oBounVyFHpfMqqDL2/Lkvd6
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-03_3e90c967f61a27940b1097af983f83de_gandcrab.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-03_3e90c967f61a27940b1097af983f83de_gandcrab.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵
- System Location Discovery: System Language Discovery
-