File name:	2025-03-24_82306cdd5e591ba3ce97490d1491bec5_gandcrab
Full analysis:	https://app.any.run/tasks/52b6a557-9d6e-4f7a-b294-6458f9f2c629
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	March 24, 2025, 17:20:59
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion grandcrab ransomware
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	82306CDD5E591BA3CE97490D1491BEC5
SHA1:	EDA13765C4559EBE05BDAC33B7E6512531A0EA99
SHA256:	2932B5F4FC68D5674F0D62560676D475432BA895FA9B282BF62E58926B312EF9
SSDEEP:	768:sm5MpFvK8LmFDEuE0umZhfH+dRehemCMG5W/UMlaxvKop2hKjeT2FvpDcziq/pEP:kpF3mBbfedUhemCMGg/iZaqvtEU

.dll	\|	Win32 Dynamic Link Library (generic) (43.5)
.exe	\|	Win32 Executable (generic) (29.8)
.exe	\|	Generic Win/DOS Executable (13.2)
.exe	\|	DOS Executable Generic (13.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2018:03:04 18:10:15+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	12
CodeSize:	34304
InitializedDataSize:	36352
UninitializedDataSize:	-
EntryPoint:	0x4b20
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI


(PID) Process:	(7824) 2025-03-24_82306cdd5e591ba3ce97490d1491bec5_gandcrab.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:	write	Name:	klhyggkgevn
Value: "C:\Users\admin\AppData\Roaming\Microsoft\ewspbn.exe"

PID	Process	Filename		Type
8032	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2025-03-24_82306_e7facf788690bd43aebed282a81ad0489191542b_de935b3b_467397f0-ee72-4d77-8287-e35ab60f0c17\Report.wer		—
		MD5:—	SHA256:—
7824	2025-03-24_82306cdd5e591ba3ce97490d1491bec5_gandcrab.exe	C:\Users\admin\AppData\Roaming\Microsoft\ewspbn.exe		executable
		MD5:083580AF1CE0FBD9F4CA4AF2C6EBD1F3	SHA256:5D398A213D08D42112A32C2B94B83339A5BF10F3A04F3143F42EA34A3C9703D7
8032	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2E2.tmp.dmp		binary
		MD5:4A82FB03428F1C23ABC488E56A44D538	SHA256:50D1DFB656A0462C32E821D2758F844E1F986F0BAB597792385D9A681D5D4D96
8032	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERD3FD.tmp.xml		xml
		MD5:43E3E06F3BEEF27F9D973277D33D23D8	SHA256:FC1DFFD7D2C75E2B154E39D0417799DD2E9C170C742763D266F39F8B9D0F0EA3
8032	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERD3CD.tmp.WERInternalMetadata.xml		binary
		MD5:5DF66720B5ACF85BC8EE185F9538E5FB	SHA256:E7AF5542DAA9EA7B6489F5176C3B368D90B18865A79DCA120F5ECD92B95EC635
7824	2025-03-24_82306cdd5e591ba3ce97490d1491bec5_gandcrab.exe	C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\0f5007522459c86e95ffcc62f32308f1_bb926e54-e3ca-40fd-ae90-2764341e7792		abr
		MD5:D898504A722BFF1524134C6AB6A5EAA5	SHA256:878F32F76B159494F5A39F9321616C6068CDB82E88DF89BCC739BBC1EA78E1F9
8032	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\2025-03-24_82306cdd5e591ba3ce97490d1491bec5_gandcrab.exe.7824.dmp		binary
		MD5:ADDA9791FCBAB5B4CE744147C91D659F	SHA256:E3E03E7F720EA360C132DA8B77DAEAABBD0B49477F9E9FF70A8F3850F4D27353

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2104	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
7492	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3304	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	216.58.206.78	whitelisted
ipv4bot.whatismyipaddress.com	—	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98 40.91.76.224	whitelisted

General Info

2025-03-24_82306cdd5e591ba3ce97490d1491bec5_gandcrab

82306CDD5E591BA3CE97490D1491BEC5

EDA13765C4559EBE05BDAC33B7E6512531A0EA99

2932B5F4FC68D5674F0D62560676D475432BA895FA9B282BF62E58926B312EF9

768:sm5MpFvK8LmFDEuE0umZhfH+dRehemCMG5W/UMlaxvKop2hKjeT2FvpDcziq/pEP:kpF3mBbfedUhemCMGg/iZaqvtEU

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

GRANDCRAB mutex has been found

Changes the autorun value in the registry

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Executes application which crashes

Checks for external IP

INFO

Reads CPU info

Reads the machine GUID from the registry

Creates files or folders in the user directory

Reads the computer name

Checks supported languages

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings