analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

grandcrab.exe

Full analysis: https://app.any.run/tasks/8854af88-8c88-45e2-a569-e80ee4f501fa
Verdict: Malicious activity
Threats:

GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.

Malware Trends Tracker     >>>
Analysis date: March 21, 2019, 13:22:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
gandcrab
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

07FADB006486953439CE0092651FD7A6

SHA1:

E42431D37561CC695DE03B85E8E99C9E31321742

SHA256:

D77378DCC42B912E514D3BD4466CDDA050DDA9B57799A6C97F70E8489DD8C8D0

SSDEEP:

3072:Ealy19emgKe0QuYS3UmWuDTEltI3S/7IarDrjCgrQp0M7W:EaqxxDwx/7IS40MS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GandCrab keys found

      • grandcrab.exe (PID: 1908)

    • Actions looks like stealing of personal data

      • grandcrab.exe (PID: 1908)

    • Writes file to Word startup folder

      • grandcrab.exe (PID: 1908)

    • Connects to CnC server

      • grandcrab.exe (PID: 1908)

    • Renames files like Ransomware

      • grandcrab.exe (PID: 1908)

    • Deletes shadow copies

      • grandcrab.exe (PID: 1908)

  • SUSPICIOUS

    • Reads the cookies of Mozilla Firefox

      • grandcrab.exe (PID: 1908)

    • Creates files like Ransomware instruction

      • grandcrab.exe (PID: 1908)

    • Creates files in the user directory

      • grandcrab.exe (PID: 1908)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • grandcrab.exe (PID: 1908)

    • Changes internet zones settings

      • iexplore.exe (PID: 3428)

    • Reads Microsoft Office registry keys

      • iexplore.exe (PID: 3428)

    • Reads internet explorer settings

      • iexplore.exe (PID: 4068)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3428)

    • Application launched itself

      • iexplore.exe (PID: 3428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:09:24 09:47:02+02:00
PEType: PE32
LinkerVersion: 12
CodeSize: 79360
InitializedDataSize: 114688
UninitializedDataSize: -
EntryPoint: 0x6314
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 24-Sep-2018 07:47:02
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 24-Sep-2018 07:47:02
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00013474
0x00013600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.57387
.rdata
0x00015000
0x00006EE0
0x00007000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.58949
.data
0x0001C000
0x000138F4
0x00011C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.85604
.rsrc
0x00030000
0x000001E0
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.7015
.reloc
0x00031000
0x000013B4
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.65085

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.91161
381
UNKNOWN
English - United States
RT_MANIFEST

Imports

ADVAPI32.dll
GDI32.dll
KERNEL32.dll
MPR.dll
RPCRT4.dll
SHELL32.dll
USER32.dll
WININET.dll
XPSPRINT.DLL
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #GANDCRAB grandcrab.exe wmic.exe no specs rundll32.exe no specs iexplore.exe iexplore.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1908"C:\Users\admin\AppData\Local\Temp\grandcrab.exe" C:\Users\admin\AppData\Local\Temp\grandcrab.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
3328"C:\Windows\system32\wbem\wmic.exe" shadowcopy deleteC:\Windows\system32\wbem\wmic.exegrandcrab.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
2147749908
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3156"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\sharefoundation.jpg.klrkbC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3428"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\Desktop\KLRKB-DECRYPT.htmlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
4068"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3428 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
677
Read events
598
Write events
76
Delete events
3

Modification events

(PID) Process:(1908) grandcrab.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\grandcrab_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1908) grandcrab.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\grandcrab_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1908) grandcrab.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\grandcrab_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(1908) grandcrab.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\grandcrab_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(1908) grandcrab.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\grandcrab_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(1908) grandcrab.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\grandcrab_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(1908) grandcrab.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\grandcrab_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1908) grandcrab.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\grandcrab_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1908) grandcrab.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\grandcrab_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(1908) grandcrab.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\grandcrab_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
0
Suspicious files
271
Text files
207
Unknown types
6

Dropped files

PID
Process
Filename
Type
1908grandcrab.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp
MD5:
SHA256:
1908grandcrab.exeC:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData
MD5:
SHA256:
1908grandcrab.exeC:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings
MD5:
SHA256:
1908grandcrab.exeC:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata
MD5:
SHA256:
1908grandcrab.exeC:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl
MD5:
SHA256:
1908grandcrab.exeC:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl
MD5:
SHA256:
1908grandcrab.exeC:\Users\admin\AppData\Roaming\Adobe\KLRKB-DECRYPT.htmlhtml
MD5:7AB5112BB7443377788C471CB1358492
SHA256:77D04981782FBF3DC96C93C3B0A1BE0BF4517197628EB3241B02620C38A46516
1908grandcrab.exeC:\Users\admin\.oracle_jre_usage\KLRKB-DECRYPT.htmlhtml
MD5:7AB5112BB7443377788C471CB1358492
SHA256:77D04981782FBF3DC96C93C3B0A1BE0BF4517197628EB3241B02620C38A46516
1908grandcrab.exeC:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\KLRKB-DECRYPT.htmlhtml
MD5:7AB5112BB7443377788C471CB1358492
SHA256:77D04981782FBF3DC96C93C3B0A1BE0BF4517197628EB3241B02620C38A46516
1908grandcrab.exeC:\Users\admin\AppData\KLRKB-DECRYPT.htmlhtml
MD5:7AB5112BB7443377788C471CB1358492
SHA256:77D04981782FBF3DC96C93C3B0A1BE0BF4517197628EB3241B02620C38A46516
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
26
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1908
grandcrab.exe
GET
87.236.16.31:80
http://asl-company.ru/
RU
malicious
1908
grandcrab.exe
GET
92.53.96.201:80
http://perovaphoto.ru/
RU
malicious
1908
grandcrab.exe
GET
146.66.72.87:80
http://www.perfectfunnelblueprint.com/
US
malicious
1908
grandcrab.exe
GET
77.104.171.238:80
http://www.fabbfoundation.gm/
US
malicious
1908
grandcrab.exe
POST
146.66.72.87:80
http://www.perfectfunnelblueprint.com/content/tmp/sosoesse.png
US
malicious
1908
grandcrab.exe
POST
77.104.171.238:80
http://www.fabbfoundation.gm/content/images/kedehe.bmp
US
malicious
1908
grandcrab.exe
POST
404
87.236.16.31:80
http://asl-company.ru/uploads/tmp/kameimme.png
RU
html
12.2 Kb
malicious
1908
grandcrab.exe
GET
301
198.54.121.193:80
http://www.poketeg.com/
US
html
227 b
malicious
1908
grandcrab.exe
POST
404
92.53.96.201:80
http://perovaphoto.ru/wp-content/assets/thzuim.bmp
RU
html
1.02 Kb
malicious
1908
grandcrab.exe
GET
199.250.210.64:80
http://cevent.net/
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1908
grandcrab.exe
198.54.121.193:80
www.poketeg.com
Namecheap, Inc.
US
unknown
1908
grandcrab.exe
198.54.121.193:443
www.poketeg.com
Namecheap, Inc.
US
unknown
1908
grandcrab.exe
217.70.184.50:443
www.macartegrise.eu
GANDI SAS
FR
malicious
1908
grandcrab.exe
217.160.0.234:443
www.billerimpex.com
1&1 Internet SE
DE
malicious
1908
grandcrab.exe
92.53.96.201:80
perovaphoto.ru
TimeWeb Ltd.
RU
malicious
1908
grandcrab.exe
217.160.0.234:80
www.billerimpex.com
1&1 Internet SE
DE
malicious
1908
grandcrab.exe
217.70.184.50:80
www.macartegrise.eu
GANDI SAS
FR
malicious
1908
grandcrab.exe
77.104.171.238:80
www.fabbfoundation.gm
SoftLayer Technologies Inc.
US
malicious
1908
grandcrab.exe
69.73.180.151:80
www.wash-wear.com
Global Net Access, LLC
US
malicious
1908
grandcrab.exe
87.236.16.31:80
asl-company.ru
Beget Ltd
RU
malicious

DNS requests

Domain
IP
Reputation
www.billerimpex.com
  • 217.160.0.234
whitelisted
www.macartegrise.eu
  • 217.70.184.50
malicious
www.poketeg.com
  • 198.54.121.193
malicious
perovaphoto.ru
  • 92.53.96.201
malicious
asl-company.ru
  • 87.236.16.31
malicious
www.fabbfoundation.gm
  • 77.104.171.238
malicious
www.perfectfunnelblueprint.com
  • 146.66.72.87
unknown
www.wash-wear.com
  • 69.73.180.151
malicious
pp-panda74.ru
  • 87.236.16.219
malicious
cevent.net
  • 199.250.210.64
malicious

Threats

PID
Process
Class
Message
1908
grandcrab.exe
A Network Trojan was detected
ET TROJAN [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
1908
grandcrab.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
1908
grandcrab.exe
A Network Trojan was detected
MALWARE [PTsecurity] GandCrab Ransomware HTTP
1908
grandcrab.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
1908
grandcrab.exe
A Network Trojan was detected
MALWARE [PTsecurity] GandCrab Ransomware HTTP
1908
grandcrab.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
1908
grandcrab.exe
A Network Trojan was detected
MALWARE [PTsecurity] GandCrab Ransomware HTTP
1908
grandcrab.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
1908
grandcrab.exe
A Network Trojan was detected
MALWARE [PTsecurity] GandCrab Ransomware HTTP
1908
grandcrab.exe
A Network Trojan was detected
ET POLICY Data POST to an image file (gif)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
grandcrab.exe