Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 21:35

General

  • Target

    02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe

  • Size

    321KB

  • MD5

    47e0113790ce12370edea2fe5cc337a0

  • SHA1

    509383fcc1dc2ef59faddcbf535fae3adafee30f

  • SHA256

    02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15

  • SHA512

    892b1fec4f8dc82a9b1ef54c7c0f4ae061d94e1090411eb9f1ccfb41c141336622ec46e8546fab234bdf9e739fdebc886d41a839136bb6eef0d1111adaab1458

  • SSDEEP

    6144:PfwD/eHK1rGTAOfrIV/QHxOtJkkgYsGGdzKLK:PfwDz1+q4Hsi+LK

Malware Config

Signatures

  • GandCrab payload 4 IoCs
  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

  • Gandcrab family
  • Unexpected DNS network traffic destination 64 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe
    "C:\Users\Admin\AppData\Local\Temp\02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup carder.bit ns1.wowservers.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2484
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.wowservers.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2848
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup carder.bit ns2.wowservers.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2776
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.wowservers.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2924
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup carder.bit ns1.wowservers.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2792
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.wowservers.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2784
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup carder.bit ns2.wowservers.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2428
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.wowservers.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2708
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup carder.bit ns1.wowservers.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2680
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.wowservers.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2432
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup carder.bit ns2.wowservers.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2712
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.wowservers.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2204
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup carder.bit ns1.wowservers.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2388
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.wowservers.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2264
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup carder.bit ns2.wowservers.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2340
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.wowservers.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2416
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup carder.bit ns1.wowservers.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2212
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.wowservers.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2056
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup carder.bit ns2.wowservers.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2284
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.wowservers.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1944
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup carder.bit ns1.wowservers.ru
      2⤵
        PID:1684
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup ransomware.bit ns2.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2628
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup carder.bit ns2.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1836
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup ransomware.bit ns1.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1948
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup carder.bit ns1.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1752
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup ransomware.bit ns2.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1556
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup carder.bit ns2.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2632
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup ransomware.bit ns1.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1568
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup carder.bit ns1.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2064
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup ransomware.bit ns2.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1760
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup carder.bit ns2.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:308
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup ransomware.bit ns1.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1976
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup carder.bit ns1.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2716
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup ransomware.bit ns2.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2884
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup carder.bit ns2.wowservers.ru
        2⤵
          PID:1060
        • C:\Windows\SysWOW64\nslookup.exe
          nslookup ransomware.bit ns1.wowservers.ru
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2228
        • C:\Windows\SysWOW64\nslookup.exe
          nslookup carder.bit ns1.wowservers.ru
          2⤵
            PID:712
          • C:\Windows\SysWOW64\nslookup.exe
            nslookup ransomware.bit ns2.wowservers.ru
            2⤵
            • System Location Discovery: System Language Discovery
            PID:888
          • C:\Windows\SysWOW64\nslookup.exe
            nslookup carder.bit ns2.wowservers.ru
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2704
          • C:\Windows\SysWOW64\nslookup.exe
            nslookup ransomware.bit ns1.wowservers.ru
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2332
          • C:\Windows\SysWOW64\nslookup.exe
            nslookup carder.bit ns1.wowservers.ru
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2324
          • C:\Windows\SysWOW64\nslookup.exe
            nslookup ransomware.bit ns2.wowservers.ru
            2⤵
            • System Location Discovery: System Language Discovery
            PID:1148
          • C:\Windows\SysWOW64\nslookup.exe
            nslookup carder.bit ns2.wowservers.ru
            2⤵
              PID:2476
            • C:\Windows\SysWOW64\nslookup.exe
              nslookup ransomware.bit ns1.wowservers.ru
              2⤵
              • System Location Discovery: System Language Discovery
              PID:2464
            • C:\Windows\SysWOW64\nslookup.exe
              nslookup carder.bit ns1.wowservers.ru
              2⤵
              • System Location Discovery: System Language Discovery
              PID:2800
            • C:\Windows\SysWOW64\nslookup.exe
              nslookup ransomware.bit ns2.wowservers.ru
              2⤵
              • System Location Discovery: System Language Discovery
              PID:1588
            • C:\Windows\SysWOW64\nslookup.exe
              nslookup carder.bit ns2.wowservers.ru
              2⤵
              • System Location Discovery: System Language Discovery
              PID:2840
            • C:\Windows\SysWOW64\nslookup.exe
              nslookup ransomware.bit ns1.wowservers.ru
              2⤵
                PID:2780
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup carder.bit ns1.wowservers.ru
                2⤵
                • System Location Discovery: System Language Discovery
                PID:2720
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup ransomware.bit ns2.wowservers.ru
                2⤵
                • System Location Discovery: System Language Discovery
                PID:2328
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup carder.bit ns2.wowservers.ru
                2⤵
                • System Location Discovery: System Language Discovery
                PID:1052
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup ransomware.bit ns1.wowservers.ru
                2⤵
                • System Location Discovery: System Language Discovery
                PID:2216
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup carder.bit ns1.wowservers.ru
                2⤵
                • System Location Discovery: System Language Discovery
                PID:2176
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup ransomware.bit ns2.wowservers.ru
                2⤵
                • System Location Discovery: System Language Discovery
                PID:2424
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup carder.bit ns2.wowservers.ru
                2⤵
                • System Location Discovery: System Language Discovery
                PID:2232
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup ransomware.bit ns1.wowservers.ru
                2⤵
                • System Location Discovery: System Language Discovery
                PID:1528
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup carder.bit ns1.wowservers.ru
                2⤵
                • System Location Discovery: System Language Discovery
                PID:2304
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup ransomware.bit ns2.wowservers.ru
                2⤵
                • System Location Discovery: System Language Discovery
                PID:2456
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup carder.bit ns2.wowservers.ru
                2⤵
                • System Location Discovery: System Language Discovery
                PID:956
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup ransomware.bit ns1.wowservers.ru
                2⤵
                • System Location Discovery: System Language Discovery
                PID:1576
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup carder.bit ns1.wowservers.ru
                2⤵
                • System Location Discovery: System Language Discovery
                PID:1268
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup ransomware.bit ns2.wowservers.ru
                2⤵
                • System Location Discovery: System Language Discovery
                PID:2032
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup carder.bit ns2.wowservers.ru
                2⤵
                • System Location Discovery: System Language Discovery
                PID:1120
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup ransomware.bit ns1.wowservers.ru
                2⤵
                • System Location Discovery: System Language Discovery
                PID:1208
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup carder.bit ns1.wowservers.ru
                2⤵
                • System Location Discovery: System Language Discovery
                PID:1012
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup ransomware.bit ns2.wowservers.ru
                2⤵
                • System Location Discovery: System Language Discovery
                PID:1792
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup carder.bit ns2.wowservers.ru
                2⤵
                • System Location Discovery: System Language Discovery
                PID:772
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup ransomware.bit ns1.wowservers.ru
                2⤵
                  PID:1932
                • C:\Windows\SysWOW64\nslookup.exe
                  nslookup carder.bit ns1.wowservers.ru
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:1640

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/2128-0-0x00000000002A0000-0x00000000002BB000-memory.dmp

                Filesize

                108KB

              • memory/2128-1-0x0000000000400000-0x000000000042C000-memory.dmp

                Filesize

                176KB

              • memory/2128-6-0x0000000000400000-0x000000000045F000-memory.dmp

                Filesize

                380KB

              • memory/2128-4-0x0000000000360000-0x0000000000377000-memory.dmp

                Filesize

                92KB

              • memory/2128-3-0x0000000000400000-0x000000000045F000-memory.dmp

                Filesize

                380KB

              • memory/2128-12-0x00000000002A0000-0x00000000002BB000-memory.dmp

                Filesize

                108KB

              • memory/2128-13-0x0000000000400000-0x000000000042C000-memory.dmp

                Filesize

                176KB