Managed XDR

c-windows-213210366126710027-winrgvw.exe (GandCrab) — malware analysis report

File info

Filename
c-windows-213210366126710027-winrgvw.exe
File type
PE32 executable (GUI) Intel 80386, for MS Windows
File size
234.5 KB
First seen
Last seen

Environment

w10/x86 en

Hashes

SHA1
c4187174a4cd94e9033ad37ad25835f9691fc03f
SHA256
8166432f0b9fd869435f61e5214068643e8f8468ed0fd9c4456ffb320db51fb2
MD5
a7934394d3e68ead95a952f9d647c22e

Malwares

  • GandCrab

Signatures

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1562.001 disables_security: Disables Windows Security options
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1562 modify_security_center_warnings: Attempts to modify or disable Security Center notifications
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1027.002 pe_features: Executable file has PE anomalies (may be false positive)
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Collection

T1115 checks_clipboard: Monitors clipboard data
T1115 set_clipboard_data: Sets data to clipboard

Command and Control

T1071.001 wininet_openurl: Performs HTTP/HTTPS-requests using InternetOpenUrl
T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Impact

T1490 disables_system_restore: Disables System Restore

Other

yara_rules: Static rules
dead_host: Connects to IP addresses that do not respond to requests
no_graphical_activity: No graphic activity
test_check_service: Starts services
checktokenmembership: Checks user token with CheckTokenMembership call

Related reports