File name: | grandcab.exe |
Full analysis: | https://app.any.run/tasks/f3b125e1-6042-4ca8-b409-d4821460dde1 |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | December 14, 2018, 13:38:38 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 97A449FED7D800A8A635592605FF8A67 |
SHA1: | 2F339D8B2EDB7C07126D9A3C37EFFE14966817C5 |
SHA256: | 233437B647F9482A8A3BA51D0AF69039BB58FB48609704A39DB1F709A0E6ACA6 |
SSDEEP: | 12288:hEm67VkaivvtYku9hoVw7G/znXoABEg6s0u1Tw:dEivv+bGuuznXONq10 |
.exe | | | Win32 Executable MS Visual C++ (generic) (64.5) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (13.6) |
.exe | | | Win32 Executable (generic) (9.3) |
.exe | | | Clipper DOS Executable (4.1) |
.exe | | | Generic Win/DOS Executable (4.1) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2018:11:07 22:01:29+01:00 |
PEType: | PE32 |
LinkerVersion: | 10 |
CodeSize: | 98816 |
InitializedDataSize: | 396288 |
UninitializedDataSize: | - |
EntryPoint: | 0xa4c1 |
OSVersion: | 5.1 |
ImageVersion: | - |
SubsystemVersion: | 5.1 |
Subsystem: | Windows GUI |
FileVersionNumber: | 5.3.38.4 |
ProductVersionNumber: | 5.3.38.4 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Windows NT 32-bit |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | English (U.S.) |
CharacterSet: | Unicode |
PrivateBuild: | 5.3.38.4 |
InternalName: | SelectivelyL2p |
OriginalFileName: | SelectivelyL2p |
FileDescription: | Safemode Mentions Coms |
LegalCopyright: | (c). All rights reserved. HWorks |
Languages: | English |
CompanyName: | HWorks |
ProductName: | SelectivelyL2p |
LegalTrademarks: | (c). All rights reserved. HWorks |
Comments: | Safemode Mentions Coms |
FileVersion: | 5.3.38.4 |
ProductVersion: | 5.3.38.4 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 07-Nov-2018 21:01:29 |
Detected languages: |
|
Debug artifacts: |
|
PrivateBuild: | 5.3.38.4 |
InternalName: | SelectivelyL2p |
OriginalFilename: | SelectivelyL2p |
FileDescription: | Safemode Mentions Coms |
LegalCopyright: | (c). All rights reserved. HWorks |
Languages: | English |
CompanyName: | HWorks |
ProductName: | SelectivelyL2p |
LegalTrademarks: | (c). All rights reserved. HWorks |
Comments: | Safemode Mentions Coms |
FileVersion: | 5.3.38.4 |
ProductVersion: | 5.3.38.4 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 07-Nov-2018 21:01:29 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00017688 | 0x00017800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.78949 |
.gcode | 0x00019000 | 0x000008E0 | 0x00000A00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.91875 |
.rdata | 0x0001A000 | 0x000064D8 | 0x00006600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.55978 |
.data | 0x00021000 | 0x00003608 | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.55819 |
.gdata | 0x00025000 | 0x000001D2 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.91269 |
.rsrc | 0x00026000 | 0x00058ED0 | 0x00059000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.7248 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.9402 | 634 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 2.86655 | 21640 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 2.25784 | 2664 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 3.40411 | 9640 | Latin 1 / Western European | English - United States | RT_ICON |
5 | 4.00359 | 2440 | Latin 1 / Western European | English - United States | RT_ICON |
6 | 4.03401 | 1128 | Latin 1 / Western European | English - United States | RT_ICON |
101 | 3.08108 | 90 | Latin 1 / Western European | English - United States | RT_GROUP_ICON |
442 | 7.97101 | 6504 | Latin 1 / Western European | English - United States | RCDATA |
443 | 7.98449 | 235906 | Latin 1 / Western European | English - United States | RCDATA |
444 | 7.98353 | 65040 | Latin 1 / Western European | English - United States | RCDATA |
ADVAPI32.dll |
COMCTL32.dll |
COMDLG32.dll |
GDI32.dll |
KERNEL32.dll |
MSACM32.dll |
NETAPI32.dll |
SHELL32.dll |
SHLWAPI.dll |
Secur32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3108 | "C:\Users\admin\AppData\Local\Temp\grandcab.exe" | C:\Users\admin\AppData\Local\Temp\grandcab.exe | explorer.exe | |
User: admin Company: HWorks Integrity Level: MEDIUM Description: Safemode Mentions Coms Exit code: 3221225477 Version: 5.3.38.4 |
(PID) Process: | (3108) grandcab.exe | Key: | HKEY_CURRENT_USER\Software\ex_data\data |
Operation: | write | Name: | ext |
Value: 2E0068006500730071006F00680069000000 | |||
(PID) Process: | (3108) grandcab.exe | Key: | HKEY_CURRENT_USER\Software\keys_data\data |
Operation: | write | Name: | public |
Value: 0602000000A40000525341310008000001000100116F142A47F20A907EC9204A34C04649F6D82D565BDC1EB8F68DB24028131ED409FE557A991D619EDE9AD5EE163B67C50E0AC74224F7F624BED509F7F98ADF0DEAB5A3A6DBB52512E6D96C60EB32A7823BDDAFF3763425E8BE07302F4050499E994EE44D51B29EE93EBCAB55CC1A78BCECA5B81CE8A33058A926276E43E8A161913D4096763ABD5CB2E6BC329CEA2802C8B99767125823EADA148120B0EDC01FE4C36B0FF7F53CCDCB785307BC157EE356B46FC349C5E9B7E1ED6DA045FA82A3A71003A821FD62F7044C7A4EE66B9F15B219ED8975480388216B848C775AFEF7DC1220E00BE41469216F2EAA9B491DF4F9158527989BC166CF826F71487D9CB5 | |||
(PID) Process: | (3108) grandcab.exe | Key: | HKEY_CURRENT_USER\Software\keys_data\data |
Operation: | write | Name: | private |
Value: 9404000088107AAB090B51BF809B71DA8670C8E55121C8DB587870535D1F55F00C7478FDFD107ABE8269C2D01A859FD1E0B5B50CA9F01A54D74F4A683EC4E958C99D2174180AA029ABB29C8CF2D52CFF35875FAEF514142F11C0B926D56C4307E6B3FE612DE836D1C188861BCF0DBA5CD5EC924E778FC1E1C70136A0A4A7672AAFA8B6FE750C225A7499B5F60BDEFFCBAB4672134532347B84221E056D26F0CBC3781DE4E480A97DDE34ACA1F551A1D369DEA4F1A58431AA0418FC0BDB41CD82A082DADA80D1CB4197713A860BB84C8DEAA528CB28F4579DB4B45B09EE73245981333AE1F0DD2A9DEBDC5158F24203958777727F710BEAC5A6E42AB806704F114121DF0E68D75A04DB566DAB2EE2AD6DE7897F16E7C322684D1A0447E061FDE2CEC389E724B4E0849AF02EC322C07DA2814EF3B89D247AD96765C43B3B40F24EBB7A4DD0F3D444DCD8E7ACA0FDC2DCF6659A95994979776473D5DC9775C0A876EB5B1425D7678A2C9E7AB99927C5B8D6EC0FBD73A06CD871988A379463853AE2D1D69B4DA5EF29BF66D4BA106FD0E8F0907997309708D15ED933C67253A4D0869BE70CACA4353AE3639CE864A3F27E449859054F1A04BBFBEE9A15276B2908EC272723E7E3608C8BC8844070A3539AB52559CA5BCAEB14941DE39D4F814C33CBEBB6FAA6656687AF357865B801A0BD68601CFDD7A8E0654E9302346488488F1BB9701F4B5C85BBABD766C6CFE39E6F1A7EE42CE44A6CA0DA9E066991C1EC1B1EF94C08E17D1F4089DB4C4D8F20295C0B0A3471817E531241884D11CFD56AEC848277B8B11DAD5419D88F93D72C069CD344EE884A89FBB20714A12C313533F7E3C6709C57141B23D1CFF66672A802D8E5F7D0EA9A799EE35B11BD7429B3813D7676EEF5F69FC275BBBC00C102AA5523BD97D7D47D38C270BCE0E84B45DAA084388C70EDCC8BCCD452225D54F5DBBD66FF0D53B58DE44FE42D6E82DC1361749D88E2115CE774EF81F622F82500A6FE924144C8147E97B52A1900616E0A6546B8266D023C1037D438567D2DA16B8F1DCA972CFD0A8D0767B1B77F130B6A9A34BB97A5CB259F5680B5150BFCB281F71177215A69098A9DBD96281C805CBEF17C17BEF4F7757ADA4CFD7DCAF097FBDB761B3604240E38042F9875F0424C982844AB0F309743798DE80D715EFA3ED3ED8D4441082FE6082A11157F3F6CA121A279AE0B8BC05D33D8A8D9275497EF9C8B1E5B436864031E51C80ABAF511AA9EB403CB1197D2662769D9FAEDCF9FF44C0A4E5DA98C4F91957B47E27AEEF7BA9817F24DBF7C7C9DF60604A0A782FEE811095B9BC6169DFC157E71655C725CFFDFF674406277317200313D5F94F4E0EA439C097917253A8DDA2D63661B23147E70F743C02C75C3492B8E918796664EAE52C376A7F2760A1ADC9D42AD4D6109AECABB4FA103E9544B8CB1648E15CF41A131A31109A640AFAEDAA991498BA2F945A6E3ABDFAA7372F2A486BB000152CE94A435A279BEBC768546579FBC41ADD996603EF6D207AB3046E93DC69CD033AAD67B3E3A12ADE558ACF02B494B20C03D730241AF108AE0F4877D8A911C3D05EEFD7808C6F8CB99E8FA8F5639F25346FDA2689D60DC1894EC9B188552AA14ED841B3DEDDFB160D7F39CA9084D9B76A4DAA8CEE9BF7A5C449993FBD66A3B37C848F589213E036A0628DE2190A04C91C16435AF5712BCBA8CA4E0DC7D8EE2BD2940E09F365531DEC3CC4E9FBF2283F9B0F882E21978047BE92966A5CF565207F4DD7AAAA96A8418EDD5838721A241F6B36D02B5EB0ED3CC776EE2EF120CC0B2CFAD215B4189FACAD7B5FB49F70E82831FBCF3D3525EA29052A6971FFCFEE8EBAD4B9A11D23D4977EF4C761787A1E71F53C2EA382F7C7B32E771F0D63BBAC271F9CE05FB3B4DB9C0D2779FB0BA3E6A91727576272CB4E60130EC9F5E29CA20FF8F7D77D3E171B64533A76B0012DD633A22BC99EE01496D59CF4E9F2E824329F1985D01C44878AD8AE05708FAB786E0274693AAB038B7C99ECED15539BBE88F76A5859C969DB24AB578702D1D01D6DE71624BC3C54F0F49EF6C3D645E9B97693D489F65DF530D0D81B9460D4D2C44DDBF7EB1064A615CE2587D3460443538F9D20B6932EC7A9F36D0E3D49D5455D6003E0A956C26083DB6773E3E9E0CA2123BF864749E9A4F9B5EE5E81A484DBC1560F4DD3BEC3D96CADC0CB14061EA8BF5B763F195DB3405A367AA3A15412584C4E131508EF590C124C9F076061C8F91616ED40FB616F1BABEF8E65CBF3750BBB8B256F731EE512D8D63D019B4AC305F29994ED2732AA1A8108E1E5DA548A0BFB89EC2AECA95C6F6D477E6CD4CAD29FC389039C959CFE0BB88350FB7427DEF7B9E79DF |