Edit tour

Windows Analysis Report
2fiDcmkaZY.exe

Overview

General Information

Sample Name:	2fiDcmkaZY.exe
Analysis ID:	694570
MD5:	a8ac57500de5dadf8c4db19959ddf2ec
SHA1:	202baa4b862222951619adc032fd2883562113b2
SHA256:	fcc7cc8f57d5a2a525d8026e81f69318262ca4e9036a726e26b1e3406f6f52d5
Tags:	exe
Infos:

Detection

Gandcrab

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Gandcrab

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Snort IDS alert for network traffic

Found evasive API chain (may stop execution after checking mutex)

Contains functionality to determine the online IP of the system

Found Tor onion address

Uses nslookup.exe to query domains

Machine Learning detection for sample

May check the online IP address of the machine

Machine Learning detection for dropped file

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

Too many similar processes found

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Queries information about the installed CPU (vendor, model number etc)

Drops PE files

Found evaded block containing many API calls

Contains functionality to enumerate device drivers

Checks for available system drives (often done to infect USB drives)

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

2fiDcmkaZY.exe (PID: 6752 cmdline: "C:\Users\user\Desktop\2fiDcmkaZY.exe" MD5: A8AC57500DE5DADF8C4DB19959DDF2EC)

nslookup.exe (PID: 6896 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6972 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 7032 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 7084 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 7144 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 7152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5388 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6392 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 2992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 3096 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5940 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6024 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5872 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6632 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5964 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6308 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6952 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6848 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 7044 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 7040 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 7036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 7104 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 7148 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 4556 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5844 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5976 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6564 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5860 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6608 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6032 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6440 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6460 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

tdicrr.exe (PID: 1476 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe" MD5: D2E112FDFFC314778285E837BC0BED47)

tdicrr.exe (PID: 5864 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe" MD5: D2E112FDFFC314778285E837BC0BED47)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
2fiDcmkaZY.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
2fiDcmkaZY.exe	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
2fiDcmkaZY.exe	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&

Memory Dumps

Source	Rule	Description	Author
0000000D.00000000.343462206.0000000000C79000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000D.00000002.346586335.0000000000C79000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000014.00000002.363374033.0000000000C79000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000000.00000000.304343043.0000000000A69000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000014.00000000.360474661.0000000000C79000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000000.00000002.598939067.0000000000A69000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: 2fiDcmkaZY.exe PID: 6752	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: tdicrr.exe PID: 1476	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: tdicrr.exe PID: 5864	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.0.tdicrr.exe.c70000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
13.0.tdicrr.exe.c70000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
13.0.tdicrr.exe.c70000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
20.0.tdicrr.exe.c70000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
20.0.tdicrr.exe.c70000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0.0.2fiDcmkaZY.exe.a60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
20.0.tdicrr.exe.c70000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.0.2fiDcmkaZY.exe.a60000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0.0.2fiDcmkaZY.exe.a60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
20.2.tdicrr.exe.c70000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
20.2.tdicrr.exe.c70000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
20.2.tdicrr.exe.c70000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
13.2.tdicrr.exe.c70000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
13.2.tdicrr.exe.c70000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
13.2.tdicrr.exe.c70000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.2.2fiDcmkaZY.exe.a60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
0.2.2fiDcmkaZY.exe.a60000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0.2.2fiDcmkaZY.exe.a60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
Click to see the 13 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.5 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.58.8.8.860180532829500 09/01/22-00:02:50.502751
SID:	2829500
Source Port:	60180
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
2fiDcmkaZY.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2fiDcmkaZY.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Windows Analysis Report
2fiDcmkaZY.exe