Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
eW1QrimJYd.exe

Overview

General Information

Sample Name:eW1QrimJYd.exe
Analysis ID:694557
MD5:b7325e075262ffdeaa68cae94018cadb
SHA1:2dee9b7321c736f73831ad5bc9be380b7c81680b
SHA256:88a85792d16b3e48876aa0ea696784d045499a7ba8e7648d9bb7fb27e94b0ad2
Tags:exe
Infos:

Detection

Gandcrab
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Gandcrab
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Found evasive API chain (may stop execution after checking mutex)
Contains functionality to determine the online IP of the system
Found Tor onion address
Uses nslookup.exe to query domains
Machine Learning detection for sample
May check the online IP address of the machine
Machine Learning detection for dropped file
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Too many similar processes found
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Queries information about the installed CPU (vendor, model number etc)
Drops PE files
Found evaded block containing many API calls
Contains functionality to enumerate device drivers
Checks for available system drives (often done to infect USB drives)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • eW1QrimJYd.exe (PID: 4500 cmdline: "C:\Users\user\Desktop\eW1QrimJYd.exe" MD5: B7325E075262FFDEAA68CAE94018CADB)
    • nslookup.exe (PID: 5720 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5916 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5400 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5732 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 4788 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 3572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5276 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 6148 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 6168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 6220 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 6260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 6316 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 6372 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 6380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 6528 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 6632 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 6640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 6720 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 6736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 6808 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 6920 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 6932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 7028 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 7100 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 7156 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 6164 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 6156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 6288 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 6260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 2852 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 1432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 2408 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 6448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 6392 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • qvvfpl.exe (PID: 3252 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe" MD5: E5E0C9F951E9947AEA55720B7D0299F2)
  • qvvfpl.exe (PID: 68 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe" MD5: E5E0C9F951E9947AEA55720B7D0299F2)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
eW1QrimJYd.exeSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
  • 0xf716:$: DECRYPT.txt
  • 0xf784:$: DECRYPT.txt
eW1QrimJYd.exeJoeSecurity_GandcrabYara detected GandcrabJoe Security
    eW1QrimJYd.exeGandcrabGandcrab Payloadkevoreilly
    • 0xf70c:$string1: GDCB-DECRYPT.txt
    • 0xf77a:$string1: GDCB-DECRYPT.txt
    • 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exeSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
    • 0xf716:$: DECRYPT.txt
    • 0xf784:$: DECRYPT.txt
    C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exeJoeSecurity_GandcrabYara detected GandcrabJoe Security
      C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exeGandcrabGandcrab Payloadkevoreilly
      • 0xf70c:$string1: GDCB-DECRYPT.txt
      • 0xf77a:$string1: GDCB-DECRYPT.txt
      • 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
      SourceRuleDescriptionAuthorStrings
      00000018.00000002.311448565.0000000000D79000.00000004.00000001.01000000.00000006.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
        00000018.00000000.308301094.0000000000D79000.00000008.00000001.01000000.00000006.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
          0000000B.00000000.290444735.0000000000D79000.00000008.00000001.01000000.00000006.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
            00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
              00000001.00000000.250804234.0000000000A89000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
                Click to see the 4 entries
                SourceRuleDescriptionAuthorStrings
                11.0.qvvfpl.exe.d70000.0.unpackSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
                • 0xf716:$: DECRYPT.txt
                • 0xf784:$: DECRYPT.txt
                11.0.qvvfpl.exe.d70000.0.unpackJoeSecurity_GandcrabYara detected GandcrabJoe Security
                  11.0.qvvfpl.exe.d70000.0.unpackGandcrabGandcrab Payloadkevoreilly
                  • 0xf70c:$string1: GDCB-DECRYPT.txt
                  • 0xf77a:$string1: GDCB-DECRYPT.txt
                  • 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
                  11.2.qvvfpl.exe.d70000.0.unpackSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
                  • 0xf716:$: DECRYPT.txt
                  • 0xf784:$: DECRYPT.txt
                  11.2.qvvfpl.exe.d70000.0.unpackJoeSecurity_GandcrabYara detected GandcrabJoe Security
                    Click to see the 13 entries
                    No Sigma rule has matched
                    Timestamp:192.168.2.68.8.8.860695532026737 08/31/22-23:49:57.078873
                    SID:2026737
                    Source Port:60695
                    Destination Port:53
                    Protocol:UDP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.68.8.8.864649532026737 08/31/22-23:50:23.329807
                    SID:2026737
                    Source Port:64649
                    Destination Port:53
                    Protocol:UDP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.68.8.8.850255532829498 08/31/22-23:50:34.185397
                    SID:2829498
                    Source Port:50255
                    Destination Port:53
                    Protocol:UDP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.68.8.8.862039532829498 08/31/22-23:50:37.987567
                    SID:2829498
                    Source Port:62039
                    Destination Port:53
                    Protocol:UDP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.68.8.8.857518532829498 08/31/22-23:49:46.207614
                    SID:2829498
                    Source Port:57518
                    Destination Port:53
                    Protocol:UDP
                    Classtype:A Network Trojan was detected
                    <
                    Timestamp:192.168.2.68.8.8.849468532026737 08/31/22-23:50:44.319184
                    SID:2026737