Edit tour

Windows Analysis Report
eW1QrimJYd.exe

Overview

General Information

Sample Name:	eW1QrimJYd.exe
Analysis ID:	694557
MD5:	b7325e075262ffdeaa68cae94018cadb
SHA1:	2dee9b7321c736f73831ad5bc9be380b7c81680b
SHA256:	88a85792d16b3e48876aa0ea696784d045499a7ba8e7648d9bb7fb27e94b0ad2
Tags:	exe
Infos:

Detection

Gandcrab

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Gandcrab

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Snort IDS alert for network traffic

Found evasive API chain (may stop execution after checking mutex)

Contains functionality to determine the online IP of the system

Found Tor onion address

Uses nslookup.exe to query domains

Machine Learning detection for sample

May check the online IP address of the machine

Machine Learning detection for dropped file

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

Too many similar processes found

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Queries information about the installed CPU (vendor, model number etc)

Drops PE files

Found evaded block containing many API calls

Contains functionality to enumerate device drivers

Checks for available system drives (often done to infect USB drives)

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

eW1QrimJYd.exe (PID: 4500 cmdline: "C:\Users\user\Desktop\eW1QrimJYd.exe" MD5: B7325E075262FFDEAA68CAE94018CADB)

nslookup.exe (PID: 5720 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5916 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5400 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5732 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 4788 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 3572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5276 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6148 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6220 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6316 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6372 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6528 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6632 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6720 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6808 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6920 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 7028 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 7100 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 7156 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6164 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6288 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 2852 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 1432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 2408 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6392 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

qvvfpl.exe (PID: 3252 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe" MD5: E5E0C9F951E9947AEA55720B7D0299F2)

qvvfpl.exe (PID: 68 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe" MD5: E5E0C9F951E9947AEA55720B7D0299F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
eW1QrimJYd.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
eW1QrimJYd.exe	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
eW1QrimJYd.exe	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&

Memory Dumps

Source	Rule	Description	Author
00000018.00000002.311448565.0000000000D79000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000018.00000000.308301094.0000000000D79000.00000008.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000B.00000000.290444735.0000000000D79000.00000008.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000001.00000000.250804234.0000000000A89000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: eW1QrimJYd.exe PID: 4500	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: qvvfpl.exe PID: 3252	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: qvvfpl.exe PID: 68	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.0.qvvfpl.exe.d70000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
11.0.qvvfpl.exe.d70000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
11.0.qvvfpl.exe.d70000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
11.2.qvvfpl.exe.d70000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
11.2.qvvfpl.exe.d70000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
11.2.qvvfpl.exe.d70000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
24.0.qvvfpl.exe.d70000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
24.0.qvvfpl.exe.d70000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
24.0.qvvfpl.exe.d70000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
1.0.eW1QrimJYd.exe.a80000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
1.0.eW1QrimJYd.exe.a80000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
1.0.eW1QrimJYd.exe.a80000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
1.2.eW1QrimJYd.exe.a80000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
1.2.eW1QrimJYd.exe.a80000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
1.2.eW1QrimJYd.exe.a80000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
24.2.qvvfpl.exe.d70000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
24.2.qvvfpl.exe.d70000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
24.2.qvvfpl.exe.d70000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
Click to see the 13 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.860695532026737 08/31/22-23:49:57.078873
SID:	2026737
Source Port:	60695
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.864649532026737 08/31/22-23:50:23.329807
SID:	2026737
Source Port:	64649
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.850255532829498 08/31/22-23:50:34.185397
SID:	2829498
Source Port:	50255
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862039532829498 08/31/22-23:50:37.987567
SID:	2829498
Source Port:	62039
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.857518532829498 08/31/22-23:49:46.207614
SID:	2829498
Source Port:	57518
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.849468532026737 08/31/22-23:50:44.319184
SID:	2026737
Source Port:	49468
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856571532829500 08/31/22-23:49:21.389711
SID:	2829500
Source Port:	56571
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.863674532829500 08/31/22-23:50:38.481064
SID:	2829500
Source Port:	63674
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.861613532829500 08/31/22-23:49:00.911463
SID:	2829500
Source Port:	61613
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.854197532829500 08/31/22-23:50:08.085752
SID:	2829500
Source Port:	54197
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.861175532026737 08/31/22-23:50:41.147699
SID:	2026737
Source Port:	61175
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.851324532829500 08/31/22-23:49:50.142801
SID:	2829500
Source Port:	51324
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
eW1QrimJYd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report eW1QrimJYd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Windows Analysis Report
eW1QrimJYd.exe