Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 20:39
Static task
static1
Behavioral task
behavioral1
Sample
0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe
Resource
win10v2004-20241007-en
General
-
Target
0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe
-
Size
244KB
-
MD5
57772ebf37c3c7376a932a39c1c7f770
-
SHA1
eac21915ff9db1604b77efcfd788bce5a051cb3a
-
SHA256
0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800
-
SHA512
2b1696e813912681063b0ae1463011463ea05380e18586d0d5fd6185c9a5c45077af192c90ed9db2f23ee8b879ce773befa781553a00080d5202c5d831b8f982
-
SSDEEP
3072:3q8QC2mCC97sjM2TGm54rYREkcuX8FdXIsLCiQU2jgXQk0rCQRGEsriUIwrmuVUt:zKwm5RDOCiQFju0ubEslxrmt
Malware Config
Signatures
-
GandCrab payload 3 IoCs
resource yara_rule behavioral2/memory/3976-258-0x0000000000400000-0x000000000044E000-memory.dmp family_gandcrab behavioral2/memory/3976-259-0x00000000021D0000-0x00000000021E7000-memory.dmp family_gandcrab behavioral2/memory/3976-263-0x0000000000400000-0x000000000042C000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\win.ini 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 620 3976 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe"C:\Users\Admin\AppData\Local\Temp\0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3976 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 4802⤵
- Program crash
PID:620
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3976 -ip 39761⤵PID:4296
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD5b8a9d9de161dd591220d248849ffbc6c
SHA19cb9f48c1d5df484c96f5143e8aab950d3191460
SHA256f06b35cd88f16f41ff83bf0a680b3def8dda87c1ac984fa55aeacedd86fb4a0f
SHA512fa1846daf028ec454bc69cb02fbd270b5d8d0bcb84270a12f62ec770b19bd625b32172e75b370590620c8367d78111681035dcf610c0b3c79b36144dc52a372c