File name:

2025-03-24_0442800396f72fd7ffd65e0835164d67_gandcrab

Full analysis: https://app.any.run/tasks/ecf30215-71d3-43fb-a53d-aba5e55e3f90
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 13:45:11
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
grandcrab
ransomware
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

0442800396F72FD7FFD65E0835164D67

SHA1:

9563D6D29C40E2002A375F839048F74AA2053C78

SHA256:

9E42FA1B0BD90DDFBB997ED45264C5920AE48AD041F298E6A2B6A50277DDF304

SSDEEP:

768:Om5MpFvK8LmFDEuE0umZhfH+dRehemCMG5W/UMlaxvKop2hKjeT2FvpDcziq/pEP:ipF3mBbfedUhemCMGg/iZaqvtEU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GRANDCRAB mutex has been found

      • 2025-03-24_0442800396f72fd7ffd65e0835164d67_gandcrab.exe (PID: 4120)

    • Changes the autorun value in the registry

      • 2025-03-24_0442800396f72fd7ffd65e0835164d67_gandcrab.exe (PID: 4120)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-03-24_0442800396f72fd7ffd65e0835164d67_gandcrab.exe (PID: 4120)

    • Reads security settings of Internet Explorer

      • 2025-03-24_0442800396f72fd7ffd65e0835164d67_gandcrab.exe (PID: 4120)

    • Executes application which crashes

      • 2025-03-24_0442800396f72fd7ffd65e0835164d67_gandcrab.exe (PID: 4120)

    • Checks for external IP

      • svchost.exe (PID: 2196)

  • INFO

    • Creates files or folders in the user directory

      • 2025-03-24_0442800396f72fd7ffd65e0835164d67_gandcrab.exe (PID: 4120)
      • WerFault.exe (PID: 4932)

    • Checks supported languages

      • 2025-03-24_0442800396f72fd7ffd65e0835164d67_gandcrab.exe (PID: 4120)

    • Reads the machine GUID from the registry

      • 2025-03-24_0442800396f72fd7ffd65e0835164d67_gandcrab.exe (PID: 4120)

    • Reads CPU info

      • 2025-03-24_0442800396f72fd7ffd65e0835164d67_gandcrab.exe (PID: 4120)

    • Reads the computer name

      • 2025-03-24_0442800396f72fd7ffd65e0835164d67_gandcrab.exe (PID: 4120)

    • Checks proxy server information

      • 2025-03-24_0442800396f72fd7ffd65e0835164d67_gandcrab.exe (PID: 4120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:03:04 18:10:15+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 34304
InitializedDataSize: 36352
UninitializedDataSize: -
EntryPoint: 0x4b20
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-03-24_0442800396f72fd7ffd65e0835164d67_gandcrab.exe werfault.exe no specs svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4120"C:\Users\admin\Desktop\2025-03-24_0442800396f72fd7ffd65e0835164d67_gandcrab.exe" C:\Users\admin\Desktop\2025-03-24_0442800396f72fd7ffd65e0835164d67_gandcrab.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\2025-03-24_0442800396f72fd7ffd65e0835164d67_gandcrab.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4932C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4120 -s 1364C:\Windows\SysWOW64\WerFault.exe2025-03-24_0442800396f72fd7ffd65e0835164d67_gandcrab.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6736C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
5 496
Read events
5 495
Write events
1
Delete events
0

Modification events

(PID) Process:(4120) 2025-03-24_0442800396f72fd7ffd65e0835164d67_gandcrab.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:wflrteezklp
Value:
"C:\Users\admin\AppData\Roaming\Microsoft\ijgxvg.exe"
Executable files
1
Suspicious files
3
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4932WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2025-03-24_04428_b0cec96cdf54588fdab4156f93731fe779c31f33_03432d9e_e7904bb8-b199-411e-b5b7-6bdeb7c01042\Report.wer
MD5:
SHA256:
4932WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERCA85.tmp.dmpbinary
MD5:B9C52A27861280591DA3FF55D3B313AA
SHA256:50AFAE634779B73F5BEC81E2C62996A35BD98EEF2BCA0718F5559ED4073C2785
4932WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\2025-03-24_0442800396f72fd7ffd65e0835164d67_gandcrab.exe.4120.dmpbinary
MD5:99461817CC71EA6F5FBF601D0425629B
SHA256:22BBA920AC730610AD468369F98E076CA5481BB4162FB9960050C426746431CB
4932WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERCE41.tmp.xmlxml
MD5:EC21174B5908A6DD315C7535A6C90003
SHA256:C67B3561AADEFF63EAEA0466F5C448380395124F10F9C7CDC7531C5076995215
41202025-03-24_0442800396f72fd7ffd65e0835164d67_gandcrab.exeC:\Users\admin\AppData\Roaming\Microsoft\ijgxvg.exeexecutable
MD5:F83E9A1CADCC59CED3FBCA2BBB4AAA28
SHA256:457A42E926A28F5D6B1686943077353EECAC68105AFAEB4DEB5691BFC27ED50E
41202025-03-24_0442800396f72fd7ffd65e0835164d67_gandcrab.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\0f5007522459c86e95ffcc62f32308f1_bb926e54-e3ca-40fd-ae90-2764341e7792binary
MD5:D898504A722BFF1524134C6AB6A5EAA5
SHA256:878F32F76B159494F5A39F9321616C6068CDB82E88DF89BCC739BBC1EA78E1F9
4932WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERCE11.tmp.WERInternalMetadata.xmlxml
MD5:5B8BECEFBA4D1DD45453C43C9AF415D8
SHA256:956D22C21546822B7EB634ED4DCC8B37EF21354B2A40103D9102EE72D250422F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
39
DNS requests
14
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
2096
SIHClient.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2096
SIHClient.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2096
SIHClient.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
2096
SIHClient.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
2096
SIHClient.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
POST
200
40.126.31.128:443
https://login.live.com/RST2.srf
unknown
xml
1.35 Kb
whitelisted
2096
SIHClient.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
POST
400
40.126.31.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
GET
200
20.199.58.43:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=88000045&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20250324T134525Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=4ed704460e564dbabd0958516dc94924&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3967544&metered=false&nettype=ethernet&npid=sc-88000045&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=122.0.2365.59&tl=2&tsu=1358074&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
unknown
binary
2.95 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5800
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2096
SIHClient.exe
4.175.87.197:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2096
SIHClient.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2096
SIHClient.exe
2.19.217.218:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
ipv4bot.whatismyipaddress.com
whitelisted
login.live.com
  • 40.126.32.134
  • 40.126.32.133
  • 40.126.32.140
  • 40.126.32.74
  • 20.190.160.64
  • 20.190.160.128
  • 20.190.160.17
  • 40.126.32.76
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.147
  • 23.48.23.164
  • 23.48.23.176
  • 23.48.23.173
  • 23.48.23.166
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 2.19.217.218
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (whatismyipaddress .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-03-24_0442800396f72fd7ffd65e0835164d67_gandcrab