gandcrab | aa0ce13c32f2f9b2b2df826f7e7dc27951aed02ecc0cc31acd5b20f8fbdbdc6f

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa0ce13c32f2f9b2b2df826f7e7dc27951aed02ecc0cc31acd5b20f8fbdbdc6fN.exe
Size

240KB
MD5

faf76e3e7a41eb3dbfa4a3078319ff50
SHA1

22ad8ec32a6a753da4f29e712cbdb9ef661768b1
SHA256

aa0ce13c32f2f9b2b2df826f7e7dc27951aed02ecc0cc31acd5b20f8fbdbdc6f
SHA512

16b59441ba9642daa21a135bde8a1978e9accffa96b1ef10057aae81a5753fa419f5e681075418d63f239dc4083c870b298edc4ef43685036847ecc0529e2b71
SSDEEP

6144:0haKwdeU7LyrC6pnv445VEXs5kzlu/e7QCsXqb:0hydeUvEpbQsx/eMvqb

Score

10^/10

gandcrab backdoor discovery ransomware

Malware Config

Signatures

GandCrab payload 3 IoCs

resource	yara_rule
behavioral2/memory/4900-259-0x0000000000400000-0x000000000044D000-memory.dmp	family_gandcrab
behavioral2/memory/4900-260-0x00000000020A0000-0x00000000020B7000-memory.dmp	family_gandcrab
behavioral2/memory/4900-265-0x0000000000400000-0x000000000042C000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Gandcrab family
gandcrab

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	aa0ce13c32f2f9b2b2df826f7e7dc27951aed02ecc0cc31acd5b20f8fbdbdc6fN.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4692	4900	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa0ce13c32f2f9b2b2df826f7e7dc27951aed02ecc0cc31acd5b20f8fbdbdc6fN.exe

C:\Users\Admin\AppData\Local\Temp\aa0ce13c32f2f9b2b2df826f7e7dc27951aed02ecc0cc31acd5b20f8fbdbdc6fN.exe
"C:\Users\Admin\AppData\Local\Temp\aa0ce13c32f2f9b2b2df826f7e7dc27951aed02ecc0cc31acd5b20f8fbdbdc6fN.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 460
  2⤵
  - Program crash
  PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4900 -ip 4900
1⤵
PID:3780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\win.ini

Filesize
1KB

MD5
a41957e5ccfd7470a47e74432e634f08

SHA1
0c426074d88e3eefe4d2414c6a97204815b5b35d

SHA256
588c11e0e93726e57e317ec8f3d37ce9e0a6126a81fb8f39836063e3ff783b8d

SHA512
0f1766fde723c171d3ea7027bb5e371897602e82c3c8f8aba6d7060fa91f20cf0facac0c1a54179a6bcf4b87e134bc212877551a9fe2d157f23c4a6d70031643

Download Submit
C:\Windows\win.ini

Filesize
16KB

MD5
7c4532489fe4d7ea04f416ee47fd7bd2

SHA1
53fa9f43ea6020022580b802b9f3400cf26322c5

SHA256
9e7282b5445b9b7ac7f64ededeef65f9ed06fed91f81c818c63b9b6bd18c2f20

SHA512
88602918ad26ed75e77990a4e31e6c5ace38bc4169e769e8d5f539930d3d4a9b68d41d66432614e654c9a85ad59796eb490bdf3138e4574aa314fa23e5905dc4

Download Submit
memory/4900-256-0x00000000001C0000-0x00000000001DB000-memory.dmp

Filesize
108KB

Download
memory/4900-257-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4900-259-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4900-260-0x00000000020A0000-0x00000000020B7000-memory.dmp

Filesize
92KB

Download
memory/4900-265-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4900-264-0x00000000001C0000-0x00000000001DB000-memory.dmp

Filesize
108KB

Download