File name: | GandCrab5.2 |
Full analysis: | https://app.any.run/tasks/e9f947fa-deaa-44e5-9106-21049106f78c |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | April 15, 2019, 14:31:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 78EFE80384FA759964C9EA8BADA3AC8D |
SHA1: | 6300DCA046DEE2D99F8429BDB9B5F3EDC4D5EC1C |
SHA256: | 329B3DDBF1C00B7767F0EC39B90EB9F4F8BD98ACE60E2F6B6FBFB9ADF25E3EF9 |
SSDEEP: | 3072:UKwH7Fxw0GQi8SHa0jNwriVcJLLfO1MYU:XG3wq70pwrimxLB |
.exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.2) |
.exe | | | Win32 Executable (generic) (9.7) |
.exe | | | Generic Win/DOS Executable (4.3) |
.exe | | | DOS Executable Generic (4.3) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x58ef |
UninitializedDataSize: | - |
InitializedDataSize: | 30720 |
CodeSize: | 70144 |
LinkerVersion: | 14 |
PEType: | PE32 |
TimeStamp: | 2019:02:16 13:43:25+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 16-Feb-2019 12:43:25 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 4 |
Time date stamp: | 16-Feb-2019 12:43:25 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00011112 | 0x00011200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.61634 |
.rdata | 0x00013000 | 0x00001648 | 0x00001800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.94323 |
.data | 0x00015000 | 0x000056BC | 0x00005600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.67086 |
.reloc | 0x0001B000 | 0x00000628 | 0x00000800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 5.59251 |
ADVAPI32.dll |
GDI32.dll |
KERNEL32.dll |
RPCRT4.dll |
USER32.dll |
WININET.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3072 | "C:\Users\admin\AppData\Local\Temp\GandCrab5.2.exe" | C:\Users\admin\AppData\Local\Temp\GandCrab5.2.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 255 Modules
| |||||||||||||||
3500 | "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | GandCrab5.2.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2948 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (3072) GandCrab5.2.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\ex_data\data |
Operation: | write | Name: | ext |
Value: 2E0064006400730068006C0061000000 | |||
(PID) Process: | (3072) GandCrab5.2.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data |
Operation: | write | Name: | public |
Value: 0602000000A40000525341310008000001000100451FA7890C61440562FADD3C47F299CFEE2D87628DFBC7366B6280733CFC8D98DC0B203864262D54B3B10510C08393007D7E21B70F22F3CF833DFE67CA3F0E1B3C95C4B09BF17738F8386C0925258D1492D9C34C2165F548980C8B3FFE0034B9C71685A3FDC555FC5C7DA7118F0B1F32CDD3E105B52B4614A944F92F14B490445C2B8A6DD6C9F055297466313E261F9F8D4E6249B9B9FB3CBB544FEB5EDE72B7366AB6DC0CA39359EF7455764BA5415904100B94870A50DA8C5377CFAA3A277BB80B6D85EBD5CEF62B440A84C4163C5CDCB7BD577EA103527F367366437DE5FA756F675BAF7F8C46F4CBD8F2E41C921D0446857B5790F14E7ED75B74C66B89BE | |||
(PID) Process: | (3072) GandCrab5.2.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data |
Operation: | write | Name: | private |
Value: 94040000309E7DD0F7FA8157DD25C66440FD5650274CEA552F109C66C1B1E54C9A83D06964428B043A245C204075D9358EB41EB6CB6C534928A72AB13841880195E91CE98E8F93C9BB979393E011730F530C97A486D08BE43CA2F9E2D57496148E635D7E37C95D2A8783B8D0D23EB5572E6E7E191158626EF099629CA721CE497937D5B430E5BE8F6A0DADAC5101DA6F6E83E7F0E15B76906EA17956EB6067203BE221846EF65057C48B838F47D8C425F004F94B7D7673FE00DB41BBE6FAC566E1EABD6CD20E3F34E9ADB87FD892BBF6A7BECB933C29F2119634C5DE9B4AF103CA04640CCBE5A896DF2D8B88F1A50E23FAF9D64F0457EE5E5250117CEF17DE8D4D1867052EA1B54F132568BBC118B7D6C710E740FEC1F1D47CFC7C3BFC900DDF898ED8FF10B8EA1B70A5DA72E2E0D3E48D84C3030A535FF3EF1A17EB668ABB86E880237722AC424925A81DE1326DCA1A5118A79406F6839C133009D8F6DD298A1EFE1D1D94A1C7A21850227538F4EB59575010D99790D5E536B65FD565A1EC3E5CAA3D193EC9AC77F8E216EDACB5B0CE6ADBA381EB3CA4C2DD91DC102D43B7C86197A9EE60CF6B563E6C0B473B5BC293C379C1F85C52C624C7E2E02FF3B1BE99F94CD97783EBC12B11AA6AFD63BD7E38F079E1CE0630370BA1321D6717E56C1C5DCA4F6FEC55BAB2EA5E2E104728AA6F979619B1FDE9CB87A95E86D099235B8FA28E7D01071EF527BE9BAAABEDA077A31DE1B190E0E673BFC1A4A09D6AE347AF394BB970CD0E68414F68D6E81E53ACD36B658A809F9AB43C74478CF1282ADB40341F961E465479DA7885B16F2DE0CB3920675F1917E63E09E0E4E18A30C4EDCC982FBFE1EEC829FB830DFDD6C6DB5C6355C0B28F5CA5F0DEC9F44E63E51DBB04BDE8E040F2B99436665597D50600C30767C8EED2C602C755B0BA94FFB497CD2DC4E460C2D0EBA00F23127C05CC4DD9949DDB8023EA63D259F13E9145F970218868D2B374AA540014DECE234F77D03E90613C5FE123E7CF53E70394CFAAC289996E068549AE82FDBA0A08EE9670AAE913E630A8132C39FEB4F0703824BB88C3C3F47C1B06DEC2C77BD3ACE313D39648B3DA4D78FF54BAB1191F2F18C00CDA4FAB4A7C6A29E041360C6CECFD638F00485A150087E5AFD8E9D90EAED3FEDE7C1A344F5B320092DD4255C03BA2B0FDF556F4455A1017EAB89733F7A55CAEBC8D24367D5868DCFE8817EA922F03CA94B3AC5D90151AE4EE6D2975449391376726F5829ABE65AE205D52C4F51413850F4EC46AA8F2B2D909A5270739215DFA969C1FBB3C296A734446F844E7822FF59C9CD61D75FD082B498B0712FFBCF89D5F1B2E594FBFFE840F2BFCDDCDBCC10484DE55778F72C143AAB592F44AE9C4FFDBE2C9C53F336EA5EAC6BFAC2CEC5B8F0E2F09293410C0A05E377838D6EF42D4F03B8D55745F6E67C7A7DE8DFA3D0092601E3DDB92D4049D9842AD48B999CD51041C055936729A2EC95F352F49A1654A37E701CC9DC34934D26C62D7FA042DEB0C67230D032AD9714F9D21CE2EAC19B637688EC4EBFD6A8348F395BA4A4B42F52B02F5315C025F0A12788D2E29DA306D07A5DBFC625197DA7A05FD84F2F7067784D5AAC699B549341928A1BD4B077F13DFBD345A35228AE538536311AC3B67BE284B25CCEB9AC2474C565CB7F43590294ED53D649127354F767FE4BC03E8F01110711599E794CED7E9F65501194D65AA4C6D7011D69DA383945E80558850DA6CBF3A26FCB28D8A8D2C26A45BFA81E8AAA4DF43F242D20F00EF17EF94393AA8521D6711E5A539D45418CACE0232DE3612F1052B855ED8D8EBC6C71796752351F63D6A4AE96BCAE9DCF30234259E077A8222BA739C3ACCE40CFFF281E9795C2FCCEA3F16C2D14168E7513306E2BCB10AD0901965C440CF9D644F69B7BDEDD3D1A4CD6C9EFC3556D8238A8DDF6CCA4DE3FC6AE3B4F01D76BF635DFE384F43B9F110CDA2EAD76C8E584D9A2B5857F2BF7E1C6B0E300272172880B32AF0A9506DE79CAD410CD545A7B82418E886237BA144F57B50E061F038D6E2300F342F0C9C409318651A71A64DB6D9F599121C71977099B0EDEC47E2AEF8DE548AE2067D9C86A1232FB2A9CF510FD869D39D2CAC3EA874547DE3883CF6CBEB54CC88FAC6F68F27B21130B51B806DDFF55A2E6EB9BA5C46D8C4EF3EEC87B056448996D2C8ED91B4C1CFF33800C58CB47C404718CE9DF7B438F1E5276FEDFF75DAED709EA6EB1F6AA2F1FEF2887D46CF0D173E31A0E7EB5C5BDA23F4F934BDB187EDF4450B91DC9F57F4CD7A495D1B17EF90718E023302DDA158A64AE958277369E54C54B746D8142C305A9544F43E8C52E20002C3C3B9D8BB3205A27E188DC173B8C841 | |||
(PID) Process: | (3072) GandCrab5.2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3072) GandCrab5.2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3072 | GandCrab5.2.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi | — | |
MD5:— | SHA256:— | |||
3072 | GandCrab5.2.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.ddshla | — | |
MD5:— | SHA256:— | |||
3072 | GandCrab5.2.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim | — | |
MD5:— | SHA256:— | |||
3072 | GandCrab5.2.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{05ed3515-06b3-48f6-8cf2-bf24b1bf0727}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
3072 | GandCrab5.2.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{16d74681-6bc3-4c44-97f0-8b8dfefe2355}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
3072 | GandCrab5.2.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{38e8535f-27d0-4352-aa3a-ce4178930102}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
3072 | GandCrab5.2.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{3cc0f82b-873a-4e59-b89f-689fbdf88af9}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
3072 | GandCrab5.2.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{5c4beaff-a038-4df7-9b35-072a18f8e3d6}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
3072 | GandCrab5.2.exe | C:\DDSHLA-DECRYPT.txt | text | |
MD5:B87CC8BB0778E9C0D3A548BC8D87E7D6 | SHA256:DA324BB70B227C426FD04815AEBCED07CAA488BB578E30C426AF69E1C5D24D97 | |||
3072 | GandCrab5.2.exe | C:\System Volume Information\SPP\OnlineMetadataCache\DDSHLA-DECRYPT.txt | text | |
MD5:B87CC8BB0778E9C0D3A548BC8D87E7D6 | SHA256:DA324BB70B227C426FD04815AEBCED07CAA488BB578E30C426AF69E1C5D24D97 |