gandcrab | 94ed1eb77bd9cff40d865edad84a0034224588fc694dd756ee5967717083347c

Analysis

max time kernel
97s
max time network
97s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00314.7z
Size

2.9MB
MD5

26138e381f742d7fc61cc0fa315a41dc
SHA1

ce8e7265ea7327505059359ea56f1ba357d1b6ad
SHA256

94ed1eb77bd9cff40d865edad84a0034224588fc694dd756ee5967717083347c
SHA512

96ec6dbb1589c3622b1e55dd1f6a7b69b7108914b7a8f9213578238bf48931deff4367d124a268bb579e821821565b3ece6261cd17b04355f13ee5fa82b6ed82
SSDEEP

49152:FPsnlnPwN8V5295whbTYd9UYji6iYc7HDuRjSQCmkkIpXxRVTvzARRjor887+1G8:hIt4NU585whbsde56cGNC+0XxI8r/T4L

Score

10^/10

gandcrab gozi troldesh 1032 backdoor banker collection credential_access discovery isfb persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1032

okiweqwejqweijqwe.net

nnnvnvnasjdnqwe.net

iaihbqwhebqwehabsd.com

Attributes

dga_season
10
dga_tlds
com

ru

org
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

GandCrab payload 3 IoCs

resource	yara_rule
behavioral1/memory/2724-43-0x0000000000330000-0x0000000000347000-memory.dmp	family_gandcrab
behavioral1/memory/2724-42-0x0000000000400000-0x0000000005227000-memory.dmp	family_gandcrab
behavioral1/memory/2724-53-0x0000000000400000-0x0000000005227000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Gandcrab family
gandcrab
Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi
Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

Executes dropped EXE 7 IoCs

pid	Process
2968	HEUR-Trojan-Ransom.Win32.Generic-3201b8a148880cd9348f4567f394e57c55e4aba7198dfff43658f4206c5cbf58.exe
2696	Trojan-Ransom.Win32.Blocker.meia-832f19c7a9ea6e21c747fe83fb4eaeaea6215c1217efb162f911e855090d3b8b.exe
2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
2884	HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe
2708	Trojan-Ransom.Win32.Foreign.nznk-bb95c4d5366696aeda3954d4048ddfb590750f29af157e9ee2d883533ed427ec.exe
2756	Trojan-Ransom.Win32.Shade.oql-14d002fcddb663a0b9b6c1535ef711581c9dd8d6e4d0215499e78fcf44c393e8.exe
3064	HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio System GD = "C:\\Users\\Admin\\AppData\\Roaming\\s6Nq3Yb9W9LzO2EqLCaP0GYr38wx.exe"	Trojan-Ransom.Win32.Blocker.meia-832f19c7a9ea6e21c747fe83fb4eaeaea6215c1217efb162f911e855090d3b8b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\ONEOK Inc = "C:\\Users\\Admin\\AppData\\Roaming\\ONEOK Inc\\ONEOK Inc.exe"	HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hocchhxevxd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\dqdrro.exe\""	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	Trojan-Ransom.Win32.Shade.oql-14d002fcddb663a0b9b6c1535ef711581c9dd8d6e4d0215499e78fcf44c393e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bthpsapi = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\DuseCore\\certcic.exe"	Explorer.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
File opened (read-only)	\??\Y:	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
File opened (read-only)	\??\B:	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
File opened (read-only)	\??\H:	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
File opened (read-only)	\??\I:	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
File opened (read-only)	\??\R:	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
File opened (read-only)	\??\G:	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
File opened (read-only)	\??\K:	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
File opened (read-only)	\??\M:	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
File opened (read-only)	\??\U:	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
File opened (read-only)	\??\T:	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
File opened (read-only)	\??\W:	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
File opened (read-only)	\??\A:	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
File opened (read-only)	\??\J:	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
File opened (read-only)	\??\O:	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
File opened (read-only)	\??\P:	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
File opened (read-only)	\??\S:	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
File opened (read-only)	\??\X:	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
File opened (read-only)	\??\Z:	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
File opened (read-only)	\??\E:	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
File opened (read-only)	\??\L:	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
File opened (read-only)	\??\N:	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
File opened (read-only)	\??\Q:	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	checkip.dyndns.org

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2696 set thread context of 1248	2696	Trojan-Ransom.Win32.Blocker.meia-832f19c7a9ea6e21c747fe83fb4eaeaea6215c1217efb162f911e855090d3b8b.exe	42
PID 2884 set thread context of 3064	2884	HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe	43
PID 2708 set thread context of 1872	2708	Trojan-Ransom.Win32.Foreign.nznk-bb95c4d5366696aeda3954d4048ddfb590750f29af157e9ee2d883533ed427ec.exe	107
PID 1872 set thread context of 1196	1872	svchost.exe	21

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2756-57-0x0000000000400000-0x0000000000606000-memory.dmp	upx
behavioral1/memory/2756-63-0x0000000000400000-0x0000000000606000-memory.dmp	upx
behavioral1/memory/2756-77-0x0000000000400000-0x0000000000606000-memory.dmp	upx
behavioral1/memory/2756-80-0x0000000000400000-0x0000000000606000-memory.dmp	upx
behavioral1/memory/2756-106-0x0000000000400000-0x0000000000606000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.nznk-bb95c4d5366696aeda3954d4048ddfb590750f29af157e9ee2d883533ed427ec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Shade.oql-14d002fcddb663a0b9b6c1535ef711581c9dd8d6e4d0215499e78fcf44c393e8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-3201b8a148880cd9348f4567f394e57c55e4aba7198dfff43658f4206c5cbf58.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.meia-832f19c7a9ea6e21c747fe83fb4eaeaea6215c1217efb162f911e855090d3b8b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1096	NOTEPAD.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 6 IoCs

pid	Process
2968	HEUR-Trojan-Ransom.Win32.Generic-3201b8a148880cd9348f4567f394e57c55e4aba7198dfff43658f4206c5cbf58.exe
2884	HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe
2696	Trojan-Ransom.Win32.Blocker.meia-832f19c7a9ea6e21c747fe83fb4eaeaea6215c1217efb162f911e855090d3b8b.exe
2708	Trojan-Ransom.Win32.Foreign.nznk-bb95c4d5366696aeda3954d4048ddfb590750f29af157e9ee2d883533ed427ec.exe
2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
2756	Trojan-Ransom.Win32.Shade.oql-14d002fcddb663a0b9b6c1535ef711581c9dd8d6e4d0215499e78fcf44c393e8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2968	HEUR-Trojan-Ransom.Win32.Generic-3201b8a148880cd9348f4567f394e57c55e4aba7198dfff43658f4206c5cbf58.exe
2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
1248	explorer.exe
1248	explorer.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
2756	Trojan-Ransom.Win32.Shade.oql-14d002fcddb663a0b9b6c1535ef711581c9dd8d6e4d0215499e78fcf44c393e8.exe
2756	Trojan-Ransom.Win32.Shade.oql-14d002fcddb663a0b9b6c1535ef711581c9dd8d6e4d0215499e78fcf44c393e8.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
3064	HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe
3064	HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
2708	Trojan-Ransom.Win32.Foreign.nznk-bb95c4d5366696aeda3954d4048ddfb590750f29af157e9ee2d883533ed427ec.exe
1196	Explorer.EXE
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1196	Explorer.EXE
880	taskmgr.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2696	Trojan-Ransom.Win32.Blocker.meia-832f19c7a9ea6e21c747fe83fb4eaeaea6215c1217efb162f911e855090d3b8b.exe
2708	Trojan-Ransom.Win32.Foreign.nznk-bb95c4d5366696aeda3954d4048ddfb590750f29af157e9ee2d883533ed427ec.exe
1872	svchost.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	2408	7zFM.exe
Token: 35	2408	7zFM.exe
Token: SeSecurityPrivilege	2408	7zFM.exe
Token: SeDebugPrivilege	2884	HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe
Token: SeDebugPrivilege	1248	explorer.exe
Token: SeDebugPrivilege	880	taskmgr.exe
Token: SeDebugPrivilege	3064	HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2408	7zFM.exe
2408	7zFM.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
1196	Explorer.EXE
1196	Explorer.EXE
880	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
880	taskmgr.exe
1196	Explorer.EXE
1196	Explorer.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2756	Trojan-Ransom.Win32.Shade.oql-14d002fcddb663a0b9b6c1535ef711581c9dd8d6e4d0215499e78fcf44c393e8.exe
3064	HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe
1196	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2968	3028	cmd.exe	35
PID 3028 wrote to memory of 2968	3028	cmd.exe	35
PID 3028 wrote to memory of 2968	3028	cmd.exe	35
PID 3028 wrote to memory of 2968	3028	cmd.exe	35
PID 3028 wrote to memory of 2884	3028	cmd.exe	36
PID 3028 wrote to memory of 2884	3028	cmd.exe	36
PID 3028 wrote to memory of 2884	3028	cmd.exe	36
PID 3028 wrote to memory of 2884	3028	cmd.exe	36
PID 3028 wrote to memory of 2696	3028	cmd.exe	37
PID 3028 wrote to memory of 2696	3028	cmd.exe	37
PID 3028 wrote to memory of 2696	3028	cmd.exe	37
PID 3028 wrote to memory of 2696	3028	cmd.exe	37
PID 3028 wrote to memory of 2708	3028	cmd.exe	38
PID 3028 wrote to memory of 2708	3028	cmd.exe	38
PID 3028 wrote to memory of 2708	3028	cmd.exe	38
PID 3028 wrote to memory of 2708	3028	cmd.exe	38
PID 3028 wrote to memory of 2724	3028	cmd.exe	39
PID 3028 wrote to memory of 2724	3028	cmd.exe	39
PID 3028 wrote to memory of 2724	3028	cmd.exe	39
PID 3028 wrote to memory of 2724	3028	cmd.exe	39
PID 3028 wrote to memory of 2756	3028	cmd.exe	40
PID 3028 wrote to memory of 2756	3028	cmd.exe	40
PID 3028 wrote to memory of 2756	3028	cmd.exe	40
PID 3028 wrote to memory of 2756	3028	cmd.exe	40
PID 2724 wrote to memory of 2736	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	41
PID 2724 wrote to memory of 2736	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	41
PID 2724 wrote to memory of 2736	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	41
PID 2724 wrote to memory of 2736	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	41
PID 2696 wrote to memory of 1248	2696	Trojan-Ransom.Win32.Blocker.meia-832f19c7a9ea6e21c747fe83fb4eaeaea6215c1217efb162f911e855090d3b8b.exe	42
PID 2696 wrote to memory of 1248	2696	Trojan-Ransom.Win32.Blocker.meia-832f19c7a9ea6e21c747fe83fb4eaeaea6215c1217efb162f911e855090d3b8b.exe	42
PID 2696 wrote to memory of 1248	2696	Trojan-Ransom.Win32.Blocker.meia-832f19c7a9ea6e21c747fe83fb4eaeaea6215c1217efb162f911e855090d3b8b.exe	42
PID 2696 wrote to memory of 1248	2696	Trojan-Ransom.Win32.Blocker.meia-832f19c7a9ea6e21c747fe83fb4eaeaea6215c1217efb162f911e855090d3b8b.exe	42
PID 2884 wrote to memory of 3064	2884	HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe	43
PID 2884 wrote to memory of 3064	2884	HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe	43
PID 2884 wrote to memory of 3064	2884	HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe	43
PID 2884 wrote to memory of 3064	2884	HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe	43
PID 2884 wrote to memory of 3064	2884	HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe	43
PID 2884 wrote to memory of 3064	2884	HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe	43
PID 2884 wrote to memory of 3064	2884	HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe	43
PID 2884 wrote to memory of 3064	2884	HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe	43
PID 2884 wrote to memory of 3064	2884	HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe	43
PID 2724 wrote to memory of 2076	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	47
PID 2724 wrote to memory of 2076	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	47
PID 2724 wrote to memory of 2076	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	47
PID 2724 wrote to memory of 2076	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	47
PID 2724 wrote to memory of 1048	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	49
PID 2724 wrote to memory of 1048	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	49
PID 2724 wrote to memory of 1048	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	49
PID 2724 wrote to memory of 1048	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	49
PID 2724 wrote to memory of 1524	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	51
PID 2724 wrote to memory of 1524	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	51
PID 2724 wrote to memory of 1524	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	51
PID 2724 wrote to memory of 1524	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	51
PID 2724 wrote to memory of 1328	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	53
PID 2724 wrote to memory of 1328	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	53
PID 2724 wrote to memory of 1328	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	53
PID 2724 wrote to memory of 1328	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	53
PID 2724 wrote to memory of 1912	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	56
PID 2724 wrote to memory of 1912	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	56
PID 2724 wrote to memory of 1912	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	56
PID 2724 wrote to memory of 1912	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	56
PID 2724 wrote to memory of 1536	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	58
PID 2724 wrote to memory of 1536	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	58
PID 2724 wrote to memory of 1536	2724	Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe	58

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1196
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00314.7z"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Users\Admin\Desktop\00314\HEUR-Trojan-Ransom.Win32.Generic-3201b8a148880cd9348f4567f394e57c55e4aba7198dfff43658f4206c5cbf58.exe
    HEUR-Trojan-Ransom.Win32.Generic-3201b8a148880cd9348f4567f394e57c55e4aba7198dfff43658f4206c5cbf58.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    PID:2968
- - C:\Users\Admin\Desktop\00314\HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe
    HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Users\Admin\Desktop\00314\HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe
      "C:\Users\Admin\Desktop\00314\HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      outlook_office_path
      outlook_win_path
      PID:3064
- - C:\Users\Admin\Desktop\00314\Trojan-Ransom.Win32.Blocker.meia-832f19c7a9ea6e21c747fe83fb4eaeaea6215c1217efb162f911e855090d3b8b.exe
    Trojan-Ransom.Win32.Blocker.meia-832f19c7a9ea6e21c747fe83fb4eaeaea6215c1217efb162f911e855090d3b8b.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\system32\explorer.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1248
- - C:\Users\Admin\Desktop\00314\Trojan-Ransom.Win32.Foreign.nznk-bb95c4d5366696aeda3954d4048ddfb590750f29af157e9ee2d883533ed427ec.exe
    Trojan-Ransom.Win32.Foreign.nznk-bb95c4d5366696aeda3954d4048ddfb590750f29af157e9ee2d883533ed427ec.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2708
  - - C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      PID:1872
- - C:\Users\Admin\Desktop\00314\Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
    Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns1.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2076
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:1048
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns2.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:1524
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:1328
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns1.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:1912
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:1536
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns2.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2128
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:1940
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns1.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2504
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2300
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns2.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:1504
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:1720
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns1.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2496
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2796
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns2.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2392
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2260
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns1.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2848
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2856
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns2.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2852
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2000
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns1.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2972
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2860
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns2.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:3056
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2904
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns1.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2864
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:1728
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns2.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:324
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2424
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns1.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2304
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:1996
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns2.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:1688
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:1480
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns1.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2428
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2064
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns2.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2176
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2336
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns1.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2120
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:1908
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns2.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2784
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2124
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns1.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2960
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2364
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns2.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2256
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:2804
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns1.corp-servers.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:1008
- - C:\Users\Admin\Desktop\00314\Trojan-Ransom.Win32.Shade.oql-14d002fcddb663a0b9b6c1535ef711581c9dd8d6e4d0215499e78fcf44c393e8.exe
    Trojan-Ransom.Win32.Shade.oql-14d002fcddb663a0b9b6c1535ef711581c9dd8d6e4d0215499e78fcf44c393e8.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2756
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:880
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\BlockStep.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\00314\HEUR-Trojan-Ransom.Win32.Generic-3201b8a148880cd9348f4567f394e57c55e4aba7198dfff43658f4206c5cbf58.exe

Filesize
727KB

MD5
6633c99b2c5bebfc2b32aa2c3d8667aa

SHA1
d00bf2fbcbbab2aa5ea1931a8ee1a34f913f2cb2

SHA256
3201b8a148880cd9348f4567f394e57c55e4aba7198dfff43658f4206c5cbf58

SHA512
f74f0a1abc7d915d9b6fd0d1ec6c24ed4ea062867e8dbba799ecb554c8d4730d5de6de91563ae8b9dcf2723c07b000355e1582901fae2588d598579c2f634888

Download Submit
C:\Users\Admin\Desktop\00314\HEUR-Trojan-Ransom.Win32.Generic-4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e.exe

Filesize
260KB

MD5
ddb2fe695edb5ded29389ad905cbe749

SHA1
0a52fa3ceecd90d2b224a76827acfc3c5cdab19a

SHA256
4b7d31d943eb9ae9a9515ad8c4ab8efa45365654e2b2de2662f0e4ef0995e85e

SHA512
96def7e9b311528ca4cb4ef13cd212f14824e835ceddd58cb923bb46f6981d29b38d59afd57e79218900e5d461f12ac0374cf2052c5281f91e9a48d47707fa9f

Download Submit
C:\Users\Admin\Desktop\00314\Trojan-Ransom.Win32.Blocker.meia-832f19c7a9ea6e21c747fe83fb4eaeaea6215c1217efb162f911e855090d3b8b.exe

Filesize
63KB

MD5
c1824e58a621f1573f5dde0ed419b3f9

SHA1
73233526af2d45896d8293f4234b68eee82f0af4

SHA256
832f19c7a9ea6e21c747fe83fb4eaeaea6215c1217efb162f911e855090d3b8b

SHA512
b8007bfd84d21461a4d8acc8277899241fd9722e3c63a398687961dfd962d52933d439415a64eb7fcc6c63c28a34423801f35e12c02e559604daa27492c64731

Download Submit
C:\Users\Admin\Desktop\00314\Trojan-Ransom.Win32.Foreign.nznk-bb95c4d5366696aeda3954d4048ddfb590750f29af157e9ee2d883533ed427ec.exe

Filesize
2.7MB

MD5
b99927b1f16dae0fb29dfa86599b7a86

SHA1
ab5a059416dab9f06c5d9a7de5c3af7a98669288

SHA256
bb95c4d5366696aeda3954d4048ddfb590750f29af157e9ee2d883533ed427ec

SHA512
fb772b44c9c7adee53ec8e6878bda28f7b98a6c32d4156327fcf026d6ec7c514b14cda8bbc9072322f01724a743c9ce93587fb56cf1cd93ae3d9719a26798151

Download Submit
C:\Users\Admin\Desktop\00314\Trojan-Ransom.Win32.GandCrypt.aah-deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945.exe

Filesize
221KB

MD5
83f8243f44d844337d11e278d5b4ac2b

SHA1
8f13e86188314c7752da1ed570ceacd9eff40ed9

SHA256
deebf5053bbc166e9f7167781d393064d4cca8c2e748578790e28f1f4ea7a945

SHA512
79cb8699065bd37b5d479d9302eb81fb4dfe1cf73da0596ad4e156575292a48d39388b1e793e4ccd298e36319ee98723c7b4e946ef5aa5b8fee57b890351cbe6

Download Submit
C:\Users\Admin\Desktop\00314\Trojan-Ransom.Win32.Shade.oql-14d002fcddb663a0b9b6c1535ef711581c9dd8d6e4d0215499e78fcf44c393e8.exe

Filesize
1.4MB

MD5
e5d04ea03b0724443d9a04c57971419e

SHA1
89270c7fcbee4e1947c613651d32f93e4f11e1ae

SHA256
14d002fcddb663a0b9b6c1535ef711581c9dd8d6e4d0215499e78fcf44c393e8

SHA512
ad7687527fcad48e75b9e90a8dcbb7163cdd6b48a0a9f07341730b024dee8a5a167d8de9dbe808eddf26ea50b8a3f6fb76ad10e73956ebce61d5ea2b89db8446

Download Submit
memory/880-56-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/880-55-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/880-74-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/880-73-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1196-89-0x0000000002B50000-0x0000000002BD9000-memory.dmp

Filesize
548KB

Download
memory/1196-98-0x0000000002B50000-0x0000000002BD9000-memory.dmp

Filesize
548KB

Download
memory/1196-99-0x0000000002B50000-0x0000000002BD9000-memory.dmp

Filesize
548KB

Download
memory/1196-100-0x0000000002B50000-0x0000000002BD9000-memory.dmp

Filesize
548KB

Download
memory/1196-96-0x0000000002B50000-0x0000000002BD9000-memory.dmp

Filesize
548KB

Download
memory/1196-101-0x0000000002B50000-0x0000000002BD9000-memory.dmp

Filesize
548KB

Download
memory/1196-104-0x0000000002B50000-0x0000000002BD9000-memory.dmp

Filesize
548KB

Download
memory/1248-52-0x0000000000080000-0x0000000000093000-memory.dmp

Filesize
76KB

Download
memory/1248-26-0x0000000000080000-0x0000000000093000-memory.dmp

Filesize
76KB

Download
memory/1872-82-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmp

Filesize
4KB

Download
memory/1872-93-0x0000000000280000-0x0000000000309000-memory.dmp

Filesize
548KB

Download
memory/1872-83-0x0000000000280000-0x0000000000309000-memory.dmp

Filesize
548KB

Download
memory/2696-45-0x0000000000210000-0x0000000000223000-memory.dmp

Filesize
76KB

Download
memory/2708-64-0x0000000000400000-0x00000000006D1000-memory.dmp

Filesize
2.8MB

Download
memory/2708-65-0x00000000022F0000-0x000000000232A000-memory.dmp

Filesize
232KB

Download
memory/2708-72-0x00000000022F0000-0x000000000232A000-memory.dmp

Filesize
232KB

Download
memory/2708-85-0x00000000022F0000-0x000000000232A000-memory.dmp

Filesize
232KB

Download
memory/2708-75-0x0000000000400000-0x00000000006D1000-memory.dmp

Filesize
2.8MB

Download
memory/2724-53-0x0000000000400000-0x0000000005227000-memory.dmp

Filesize
78.2MB

Download
memory/2724-42-0x0000000000400000-0x0000000005227000-memory.dmp

Filesize
78.2MB

Download
memory/2724-43-0x0000000000330000-0x0000000000347000-memory.dmp

Filesize
92KB

Download
memory/2756-80-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/2756-77-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/2756-106-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/2756-63-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/2756-57-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/2968-27-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3064-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3064-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download