File name: | GandCrabV5.0.4.exe |
Full analysis: | https://app.any.run/tasks/3abe4f2c-fc74-40b8-a151-504048a75369 |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | January 23, 2019, 01:50:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | DE030D9AE03C9A8D2BEE41C0DF01EE4D |
SHA1: | 1EBC7CB36A0F2D5B857DE4F1C73F2C0B880C8629 |
SHA256: | A45BD4059D804B586397F43EE95232378D519C6B8978D334E07F6047435FE926 |
SSDEEP: | 6144:RQLDPe0enwt4qiJUNnN+fNr73jxvnLTK4dKrBr9OvrkTWuXcsc:RQ32tQ4lUNcfNr73jxvLO4dKh9OvrkC |
.exe | | | Win32 Executable Microsoft Visual Basic 6 (90.6) |
---|---|---|
.exe | | | Win32 Executable (generic) (4.9) |
.exe | | | Generic Win/DOS Executable (2.2) |
.exe | | | DOS Executable Generic (2.2) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2011:02:05 16:30:29+01:00 |
PEType: | PE32 |
LinkerVersion: | 6 |
CodeSize: | 569344 |
InitializedDataSize: | 12288 |
UninitializedDataSize: | - |
EntryPoint: | 0x1464 |
OSVersion: | 4 |
ImageVersion: | 5.13 |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
FileVersionNumber: | 5.13.0.18 |
ProductVersionNumber: | 5.13.0.18 |
FileFlagsMask: | 0x0000 |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | English (U.S.) |
CharacterSet: | Unicode |
CompanyName: | sorry.fire.below.four.strike.firm] |
FileDescription: | best`nothing`save`area`sort`cloud> |
LegalCopyright: | america-height-level-copy-half-four^ |
LegalTrademarks: | weather/thirteen/lose/office/while/india. |
ProductName: | clannishness3 |
FileVersion: | 5.13.0018 |
ProductVersion: | 5.13.0018 |
InternalName: | dowitcher |
OriginalFileName: | dowitcher.exe |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 05-Feb-2011 15:30:29 |
Detected languages: |
|
CompanyName: | sorry.fire.below.four.strike.firm] |
FileDescription: | best`nothing`save`area`sort`cloud> |
LegalCopyright: | america-height-level-copy-half-four^ |
LegalTrademarks: | weather/thirteen/lose/office/while/india. |
ProductName: | clannishness3 |
FileVersion: | 5.13.0018 |
ProductVersion: | 5.13.0018 |
InternalName: | dowitcher |
OriginalFilename: | dowitcher.exe |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000B8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 05-Feb-2011 15:30:29 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0008A9A0 | 0x0008B000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.96763 |
.data | 0x0008C000 | 0x00000B58 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x0008D000 | 0x00001064 | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 2.01264 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.41376 | 960 | Unicode (UTF 16LE) | English - United States | RT_VERSION |
MSVBVM60.DLL |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3128 | "C:\Users\admin\AppData\Local\Temp\GandCrabV5.0.4.exe" | C:\Users\admin\AppData\Local\Temp\GandCrabV5.0.4.exe | — | explorer.exe |
User: admin Company: sorry.fire.below.four.strike.firm] Integrity Level: MEDIUM Description: best`nothing`save`area`sort`cloud> Exit code: 0 Version: 5.13.0018 | ||||
2940 | C:\Users\admin\AppData\Local\Temp\GandCrabV5.0.4.exe" | C:\Users\admin\AppData\Local\Temp\GandCrabV5.0.4.exe | GandCrabV5.0.4.exe | |
User: admin Company: sorry.fire.below.four.strike.firm] Integrity Level: MEDIUM Description: best`nothing`save`area`sort`cloud> Version: 5.13.0018 | ||||
3140 | "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | — | GandCrabV5.0.4.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147749908 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2940) GandCrabV5.0.4.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\ex_data\data |
Operation: | write | Name: | ext |
Value: 2E0061006E006D0066006A000000 | |||
(PID) Process: | (2940) GandCrabV5.0.4.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data |
Operation: | write | Name: | public |
Value: 0602000000A4000052534131000800000100010079064E8CF65CF4B8B47B1091FA49275F1E559705D60B314049231D36992A6BBA09099C314626F8F65D3D5AB9866E63BC059A05BF7DB3FAFB9D0118320D64E329F2707A8CC7CD4367AC752F97209C4D087991E0750E07D5D4573D3B80205F3C2971E17F450AFC244712193C57E5C8D953D3963CD07C1C009593919C598CA78DF95BAE25BA499F321BC3B61E3955125357E2C02891D913634D4FDC3A96480AE31356E0909F055A0384B2A81F43EE195D37262E0E22C375F148F3053782AEC3DC77CAB808AD5314AE71BDB5049502B840C3DE5AD98EA2310714DCF0502E8899162533AE130FE47D089FFA377BE9ACBFE91BF9CB2FC0919366F0D3256DD2C87E42B0 | |||
(PID) Process: | (2940) GandCrabV5.0.4.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data |
Operation: | write | Name: | private |
Value: 94040000115B915278098C1A093772FE21DDA12F5F05AD07DACDA376A1B1B803FFA608CB575AF2613534AFB1A3F2C759BD86FD0D62C344A06CD42AE900E758CC3D65F77B6F7225A120D7C4BE1B281E093D962F774264437E5FE5A9B116B8ADCB264960FFAB92902B8D8C4567EE357E3A336012EB24682585FE15D7D9CFD35E3690BDDC08037D3187BA2EFAC1CC44D3F653B5CFB719A4D0791762E6C7C39D61AA1408F8CB22E783BF95A4DF5F9260AC772CBA69B59379C42CEBA419EB3693DFBE40D89E560CD20B865CD39383DF9EEA5D7552259728AA872947325E54436985D8AF648117D0CA4C72A4DCD251965CC5C2CFFB8ADDCB163C8EEF34FF493652E855E14D9E6B433F261E36A4739F474A9070CF4D392167CDCB96D817D3601FD01E6F3482B1EC269DFFA4CF18D777C749FBEF9FE7B2720F3733088B9C1C7FD84E5DCCBFA5A7E4B84FA2E9D12C94F6E5C89F534DA994347D5A12B9C3C1648DDC6F2F6DDC5A82C72844E09F35D073F9A1E7CA159F29E4FD56A9B0B372B0D474337BD56CE7AEC5AC14E325B769902FED5F342B6F842B054D48B5ADF34371C5C1568D29E0C481274C04D18BF337DEBE523E4A22271F1BF73F1313A653089F30CFB327C65BD5BE513824C83D27BAF7DC15C5D1A878F7A0959B9EBCA9E26F5038BB13CF1AE591C26620F6B42C22525AA7512B720EBAF7213B951C78FE622DE9439A92EEE96A0961572C78E836C4327483F116D158A4E84B28DF9901776EA7AC5D35BB0509016707ACA966486CAA4C88A8C86401998DD52FFD364017D21AE80E12B8793C658215920D888BDD81CCE16120CDD269BC23763CBDD8769FBDC473887AB80435DFEA4262F33B7E155E6CFC0A399FFC8EDD78F6BF00423B65FE0C1822E513F5D5DDD2E6269962BBED558E2E1617B7594EAFFC9D9B400CD7A39452D11CC6BC1E8FC0B4BB41A5E2401277E983D5AF9F190B66A9332A52FDDFBB61C730B9DCD659D63E2A5C2829778137D561F96B884313016A88C39622C16B2B9215FEBA2FCF9A90807D536496E35BA0655436FD43392FB61A289A2DFBD02A1D2B5DE8146D1C319DEFDC699CEC3D4735C0B4281589493C9370EFAB272FF939F861818DCC4BF7A13825C865058360365177A9AC8CC4A66AF5C4C663DED6A4D666CB1129753C787F94ADDED5CEEEED7EF0F8993EE417A5973083B56FF27D6838A65E733445E5C14691261CAEB4CAF1C412B0E3AD007F36990D46C49FCAFAD10B1B821D270720122EBEEF9D1C38E4A9354E8CA6D151BDBFD8A2AAAEBD8D8D7509B40F4C15565381C416300529232B2C3A1A5CB734FD22FE38D8EAD0714F1E7E3117B70E366717319EA39D24AB5109B29B727F5BADB74E3E90988A6B64F0040AD0B9EF5A784E0C885FEA71B59DC9DB01200BE5A91CFD72A295385C5CE29EC1ED0487A3DCF3D5F7791FA45D202C67ACF73AFD0E63FEF2DB38F7560BD65EBDD9E518344CFA1B3650DF5147374C9FDA83D67C7458CC3BB5809CF0629B6E5F86CA2D216B889EAA6F4F23C751C1096847812BBFB5C896776598CE9E7B0D9425257B5C5523CF96C5C14786352DC4DBEB6876FF01D7188B6F4C803DB797CE03652C7FDC8B759B81AD3BC2B5D2A1B0B35663FF787B0051A5A4B1A70CF0030048856E2BF82EAABD09B153C73D83D71F74370CC6AE6E3E9BCEB4669BE374E950034841EB30062B06288D1C710878EAD14306487AB3968D97FCA57BBBA3BD1466330EC7B4FC4A7C385085F7DAB82DB75E7FAA972EAA325335DEA2315D446688D99CFD75C1798A84EBC156E2D05A37809AA31443A81FB1FBBBB645E4FB06EF5808E5B623A29F16E271F453FCACF6C9F257D77DAECBFC9E5355F8E24BA72CF0FF533FCB69779282F39F4F06F35AA6B66E91DD0F3DB934D01507FA7CCBA89785C6B20DC67F3F4E04617CBCA11BEEEA6DA5DF3C92121497690ED0433400F0CA3F0BE83463F9C8CC0C8D6BE2EDA85B2C1489FC18E3A53DEAFAD449EF3BEA23E4C8350AF9E61770FA89A0ABF46A2627B1C789227F92220EAAC6AACF447CAC1256130F1A22C4161685F81012E353778D757B8FB806D29CE9AC8218BB6D5E4A5C7F8C6ACBA38684732F2844A47FDEB8C324AE9CCA6191E13DD9510141B4F0D4C1F2713060360C5AF58CC85DE3E2CEE4BF436AA5615FFC68220110FB884A400C2E367638A94CB894A98F7D2557AFAAD66F4320A3ABF02497CE9796A5AB25D7D3664EF593A5112825AF71A309380E3D52CE82EEB9928A52040A3F2EBC8D5FC6C99553497C899AFC4A3FBF9ED612C67044FC3E6B227DEDAA5BF626063CB96A955BEAF8EB2DFB84E08AE4A7E187FF4B2B6879F26F15300E4CF3BB321AAE32CD180F7FDEAF35191CC328FB7F49FD46A1 | |||
(PID) Process: | (2940) GandCrabV5.0.4.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2940) GandCrabV5.0.4.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2940) GandCrabV5.0.4.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GandCrabV5_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (2940) GandCrabV5.0.4.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GandCrabV5_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (2940) GandCrabV5.0.4.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GandCrabV5_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (2940) GandCrabV5.0.4.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GandCrabV5_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (2940) GandCrabV5.0.4.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GandCrabV5_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2940 | GandCrabV5.0.4.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | — | |
MD5:— | SHA256:— | |||
2940 | GandCrabV5.0.4.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData | — | |
MD5:— | SHA256:— | |||
2940 | GandCrabV5.0.4.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings | — | |
MD5:— | SHA256:— | |||
2940 | GandCrabV5.0.4.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata | — | |
MD5:— | SHA256:— | |||
2940 | GandCrabV5.0.4.exe | C:\Users\admin\AppData\Roaming\ANMFJ-DECRYPT.txt | text | |
MD5:A87EBE16C9A4063028A288B956F076F5 | SHA256:3CD432FCE72404964E8EA5AC60A3E3F2828D969CD6E5CA9CF2D5C8916B88371A | |||
2940 | GandCrabV5.0.4.exe | C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\ANMFJ-DECRYPT.txt | text | |
MD5:A87EBE16C9A4063028A288B956F076F5 | SHA256:3CD432FCE72404964E8EA5AC60A3E3F2828D969CD6E5CA9CF2D5C8916B88371A | |||
2940 | GandCrabV5.0.4.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp.anmfj | binary | |
MD5:72724ED643BFE213E4B99266E50BC0CB | SHA256:1CCBA00DF8D02B330A3829F8CD00182DF9AFC3BA0BCBB241D8AB578848687B07 | |||
2940 | GandCrabV5.0.4.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl | — | |
MD5:— | SHA256:— | |||
2940 | GandCrabV5.0.4.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl | — | |
MD5:— | SHA256:— | |||
2940 | GandCrabV5.0.4.exe | C:\Users\admin\ANMFJ-DECRYPT.txt | text | |
MD5:A87EBE16C9A4063028A288B956F076F5 | SHA256:3CD432FCE72404964E8EA5AC60A3E3F2828D969CD6E5CA9CF2D5C8916B88371A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2940 | GandCrabV5.0.4.exe | GET | — | 78.46.77.98:80 | http://www.2mmotorsport.biz/ | DE | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2940 | GandCrabV5.0.4.exe | 78.46.77.98:80 | www.2mmotorsport.biz | Hetzner Online GmbH | DE | suspicious |
Domain | IP | Reputation |
---|---|---|
www.2mmotorsport.biz |
| unknown |