File name:	2025-03-24_0d54c331dce2a76ff5f8ebcb8d35ff18_gandcrab
Full analysis:	https://app.any.run/tasks/3af0ff17-ee16-4479-81ff-8a97aa5fc211
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	March 24, 2025, 16:42:57
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	grandcrab ransomware evasion
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	0D54C331DCE2A76FF5F8EBCB8D35FF18
SHA1:	DDC1AFB60C1F6FED73B0777CF8565B0C6C5E347E
SHA256:	5674E690FB2640C036485FAE0E7A468813129786BEACBE4F209BC8CC861393D9
SSDEEP:	768:4m5MpFvK8LmFDEuE0umZhfH+dRehemCMG5W/UMlaxvKop2hKjeT2FvpDcziq/pEP:gpF3mBbfedUhemCMGg/iZaqvtEU

.dll	\|	Win32 Dynamic Link Library (generic) (43.5)
.exe	\|	Win32 Executable (generic) (29.8)
.exe	\|	Generic Win/DOS Executable (13.2)
.exe	\|	DOS Executable Generic (13.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2018:03:04 18:10:15+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	12
CodeSize:	34304
InitializedDataSize:	36352
UninitializedDataSize:	-
EntryPoint:	0x4b20
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI


(PID) Process:	(4620) 2025-03-24_0d54c331dce2a76ff5f8ebcb8d35ff18_gandcrab.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:	write	Name:	beerztcieoy
Value: "C:\Users\admin\AppData\Roaming\Microsoft\mynaac.exe"

PID	Process	Filename		Type
4452	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2025-03-24_0d54c_3b1b3d126d5473d1b7ea6fefbed8d432256dee6_c15891a1_e1ea678b-36c7-426a-a00c-ef0f682970ec\Report.wer		—
		MD5:—	SHA256:—
4452	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBBD.tmp.WERInternalMetadata.xml		binary
		MD5:D702A0364AD5A2681DF3DC8649E6C507	SHA256:CA72E5490F4B1A785A8F58F074C784542434610309E519DC99A7A1D1936BFFAF
4452	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAB2.tmp.dmp		binary
		MD5:B46947C183419FFA5F85CA990563D47B	SHA256:571A40693B9C287B913CA58F059A9EB4B5EAA9411B0F13CBA3F666C379E0B6BC
4452	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBFC.tmp.xml		xml
		MD5:5F8D71197273A9D4A7A2FFACF1438A3D	SHA256:B80CB93E9DAD3F05866A6E5183AC683053E2715FC4C52D4ED9AE39D69393D480
4452	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\2025-03-24_0d54c331dce2a76ff5f8ebcb8d35ff18_gandcrab.exe.4620.dmp		binary
		MD5:0144E2C8B0730D1A5B5391F0F83DE695	SHA256:68678BD987B8184E518D04B175EB7A13F952716D6E4256B38B5F105A2B4AE26E
4620	2025-03-24_0d54c331dce2a76ff5f8ebcb8d35ff18_gandcrab.exe	C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\0f5007522459c86e95ffcc62f32308f1_bb926e54-e3ca-40fd-ae90-2764341e7792		binary
		MD5:D898504A722BFF1524134C6AB6A5EAA5	SHA256:878F32F76B159494F5A39F9321616C6068CDB82E88DF89BCC739BBC1EA78E1F9
4620	2025-03-24_0d54c331dce2a76ff5f8ebcb8d35ff18_gandcrab.exe	C:\Users\admin\AppData\Roaming\Microsoft\mynaac.exe		executable
		MD5:98CCFE7677D63C1196A5326F03A00EFB	SHA256:3FEF69B499F2274DB2DA8A5CCBCB79E9137B18544777D6041CF9257640CC07DB

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	304	52.149.20.212:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
7000	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
7000	SIHClient.exe	GET	200	23.48.23.155:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7000	SIHClient.exe	GET	200	23.48.23.155:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
7000	SIHClient.exe	GET	200	23.48.23.155:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
7000	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7000	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
—	—	GET	200	13.85.23.206:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1452	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4008	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3216	svchost.exe	20.197.71.89:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	SG	whitelisted
6544	svchost.exe	20.190.159.68:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4988	backgroundTaskHost.exe	20.223.35.26:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7000	SIHClient.exe	4.245.163.56:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7000	SIHClient.exe	23.48.23.155:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	172.217.16.142	whitelisted
ipv4bot.whatismyipaddress.com	—	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
client.wns.windows.com	20.197.71.89	whitelisted
login.live.com	20.190.159.68 40.126.31.73 40.126.31.128 20.190.159.128 40.126.31.71 40.126.31.3 20.190.159.64 20.190.159.0	whitelisted
arc.msn.com	20.223.35.26	whitelisted
slscr.update.microsoft.com	4.245.163.56	whitelisted
crl.microsoft.com	23.48.23.155 23.48.23.171 23.48.23.174 23.48.23.175 23.48.23.163 23.48.23.176 23.48.23.177 23.48.23.173 23.48.23.160	whitelisted
www.microsoft.com	23.35.229.160	whitelisted

General Info

2025-03-24_0d54c331dce2a76ff5f8ebcb8d35ff18_gandcrab

0D54C331DCE2A76FF5F8EBCB8D35FF18

DDC1AFB60C1F6FED73B0777CF8565B0C6C5E347E

5674E690FB2640C036485FAE0E7A468813129786BEACBE4F209BC8CC861393D9

768:4m5MpFvK8LmFDEuE0umZhfH+dRehemCMG5W/UMlaxvKop2hKjeT2FvpDcziq/pEP:gpF3mBbfedUhemCMGg/iZaqvtEU

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

GRANDCRAB mutex has been found

Changes the autorun value in the registry

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Executes application which crashes

Checks for external IP

INFO

Creates files or folders in the user directory

Checks supported languages

Reads the machine GUID from the registry

Reads CPU info

Reads the computer name

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings