Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BUgAyPXboK.exe

Overview

General Information

Sample Name:BUgAyPXboK.exe
Analysis ID:694553
MD5:dde91b6947d2b726e5bb8f5852cecb76
SHA1:7d2467c4e65238599c5fd05641c628fb4252c7ca
SHA256:eae8d675873bd846302263fdca95db805b560d3406ec964f76b2d4123f78b59a
Tags:exeGandCrab
Infos:

Detection

Gandcrab
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Gandcrab
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Contains functionality to determine the online IP of the system
Found Tor onion address
Uses nslookup.exe to query domains
Machine Learning detection for sample
May check the online IP address of the machine
Machine Learning detection for dropped file
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Too many similar processes found
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Queries information about the installed CPU (vendor, model number etc)
Drops PE files
Found evaded block containing many API calls
Contains functionality to enumerate device drivers
Checks for available system drives (often done to infect USB drives)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • BUgAyPXboK.exe (PID: 868 cmdline: "C:\Users\user\Desktop\BUgAyPXboK.exe" MD5: DDE91B6947D2B726E5BB8F5852CECB76)
    • nslookup.exe (PID: 5424 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 1576 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5356 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5360 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 4876 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5796 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5224 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5572 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 6040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 2912 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 1572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 4228 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 2464 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 3244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 3824 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 2208 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 4628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 2852 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 2608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 4628 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 2688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 4908 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 1908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 3096 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 1964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 644 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 1676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5964 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 4772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 4064 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 2360 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 4856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5728 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 6052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5940 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 6088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • ykbxzh.exe (PID: 5500 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ykbxzh.exe" MD5: EE7A320AB14366D36D44CDC33B5E8238)
  • ykbxzh.exe (PID: 4784 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ykbxzh.exe" MD5: EE7A320AB14366D36D44CDC33B5E8238)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
BUgAyPXboK.exeSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
  • 0xf716:$: DECRYPT.txt
  • 0xf784:$: DECRYPT.txt
BUgAyPXboK.exeJoeSecurity_GandcrabYara detected GandcrabJoe Security
    BUgAyPXboK.exeGandcrabGandcrab Payloadkevoreilly
    • 0xf70c:$string1: GDCB-DECRYPT.txt
    • 0xf77a:$string1: GDCB-DECRYPT.txt
    • 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Microsoft\ykbxzh.exeSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
    • 0xf716:$: DECRYPT.txt
    • 0xf784:$: DECRYPT.txt
    C:\Users\user\AppData\Roaming\Microsoft\ykbxzh.exeJoeSecurity_GandcrabYara detected GandcrabJoe Security
      C:\Users\user\AppData\Roaming\Microsoft\ykbxzh.exeGandcrabGandcrab Payloadkevoreilly
      • 0xf70c:$string1: GDCB-DECRYPT.txt
      • 0xf77a:$string1: GDCB-DECRYPT.txt
      • 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
      SourceRuleDescriptionAuthorStrings
      0000000C.00000002.292150068.0000000000412000.00000008.00000001.01000000.00000006.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
        00000019.00000002.306373977.000000000040E000.00000004.00000001.01000000.00000006.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
          00000000.00000000.252253377.000000000040E000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
            00000019.00000000.303643193.000000000040E000.00000008.00000001.01000000.00000006.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
              0000000C.00000000.289414377.000000000040E000.00000008.00000001.01000000.00000006.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
                Click to see the 6 entries
                SourceRuleDescriptionAuthorStrings
                0.0.BUgAyPXboK.exe.400000.0.unpackSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
                • 0xf716:$: DECRYPT.txt
                • 0xf784:$: DECRYPT.txt
                0.0.BUgAyPXboK.exe.400000.0.unpackJoeSecurity_GandcrabYara detected GandcrabJoe Security
                  0.0.BUgAyPXboK.exe.400000.0.unpackGandcrabGandcrab Payloadkevoreilly
                  • 0xf70c:$string1: GDCB-DECRYPT.txt
                  • 0xf77a:$string1: GDCB-DECRYPT.txt
                  • 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
                  12.0.ykbxzh.exe.400000.0.unpackSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
                  • 0xf716:$: DECRYPT.txt
                  • 0xf784:$: DECRYPT.txt
                  12.0.ykbxzh.exe.400000.0.unpackJoeSecurity_GandcrabYara detected GandcrabJoe Security
                    Click to see the 13 entries
                    No Sigma rule has matched
                    Timestamp:192.168.2.68.8.8.859531532026737 08/31/22-23:45:39.973829
                    SID:2026737
                    Source Port:59531
                    Destination Port:53
                    Protocol:UDP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.68.8.8.854507532829500 08/31/22-23:44:51.051028
                    SID:2829500
                    Source Port:54507
                    Destination Port:53
                    Protocol:UDP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.68.8.8.856433532026737 08/31/22-23:45:05.669170
                    SID:2026737
                    Source Port:56433
                    Destination Port:53
                    Protocol:UDP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.68.8.8.859724532026737 08/31/22-23:45:37.047109
                    SID:2026737
                    Source Port:59724
                    Destination Port:53
                    Protocol:UDP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.68.8.8.859626532026737 08/31/22-23:45:09.130817
                    SID:2026737
                    Source Port:59626
                    Destination Port:53
                    Protocol:UDP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.68.8.8.860383532829500 08/31/22-23:45:54.073595
                    SID:2829500
                    Source Port:60383
                    Destination Port:53
                    Protocol:UDP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.68.8.8.856298532026737 08/31/22-23:44:46.383892
                    SID:2026737
                    Source Port:56298
                    Destination Port:53
                    Protocol:UDP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.68.8.8.864965532829500 08/31/22-23:44:45.948752
                    SID:2829500
                    Source Port:64965
                    Destination Port:53
                    Protocol:UDP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.68.8.8.862224532829500 08/31/22-23:44:36.753658
                    SID:2829500
                    Source Port:62224
                    Destination Port:53
                    Protocol:UDP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.68.8.8.861613532829500 08/31/22-23:43:46.602572
                    SID:2829500
                    Source Port:61613
                    Destination Port:53
                    Protocol:UDP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.68.8.8.856363532026737 08/31/22-23:44:42.471272
                    SID:2026737
                    Source Port:56363
                    Destination Port:53
                    Protocol:UDP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.68.8.8.856507532829500 08/31/22-23:45:51.692352
                    SID:2829500
                    Source Port:56507
                    Destination Port:53
                    Protocol:UDP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.68.8.8.852121532829500 08/31/22-23:45:13.843635
                    SID:2829500
                    Source Port:52121
                    Destination Port:53
                    Protocol:UDP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.68.8.8.863867532829500 08/31/22-23:43:31.143411
                    SID:2829500
                    Source Port:63867
                    Destination Port:53
                    Protocol:UDP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.68.8.8.854513532829498 08/31/22-23:44:53.235786
                    SID:2829498
                    Source Port:54513
                    Destination Port:53
                    Protocol:UDP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.68.8.8.854757532026737 08/31/22-23:45:14.540780
                    SID:2026737
                    Source Port:54757
                    Destination Port:53
                    Protocol:UDP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.68.8.8.850347532829500 08/31/22-23:44:00.906690
                    SID:2829500
                    Source Port:50347
                    Destination Port:53
                    Protocol:UDP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.68.8.8.860134532829500 08/31/22-23:44:29.746960
                    SID:2829500
                    Source Port:60134
                    Destination Port:53
                    Protocol:UDP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.68.8.8.861173532829498 08/31/22-23:45:03.206529
                    SID:2829498
                    Source Port:61173
                    Destination Port:53
                    Protocol:UDP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.68.8.8.852486532026737 08/31/22-23:43:48.342534
                    SID:2026737
                    Source Port:52486
                    Destination Port:53
                    Protocol:UD