Managed XDR

home-petik-ss-malware-...dd938ab2_elex_gandcrab — malware analysis report

File info

Filename: home-petik-ss-malware-2026-01-01_6f3dd9fdecb63899e20edb53dd938ab2_elex_gandcrab
File type: PE32 executable (GUI) Intel 80386, for MS Windows
File size: 97.5 KB
First seen: 2026-01-01 10:05
Last seen: 2026-01-01 10:05

Environment

w10/x64 en

Hashes

SHA1: d6360bf6d422c090374c2ec84c203358047bb52c
SHA256: d5d213c971b4627c2fa422d608f3441391fa5bac56f2b9fe802af29fa688f150
MD5: 6f3dd9fdecb63899e20edb53dd938ab2

Signatures

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.001 antivm_generic_cpu: Checks the CPU name, possibly for anti-virtualization

T1497.001 antivm_disk_size: Checks the amount of free disk space

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions

T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

T1497.001 antivm_queries_computername: Retrieves the computer name

T1070 stealth_window: A process created a hidden window

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1497.001 antivm_generic_cpu: Checks the CPU name, possibly for anti-virtualization

T1497.001 antivm_disk_size: Checks the amount of free disk space

T1057 process_interest: Enumerates processes

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions

T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

T1497.001 antivm_queries_computername: Retrieves the computer name

Collection

T1113 screenshot_file: Possibly, makes a screenshot and saves it to a file

Command and Control

T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Impact

T1486 ransomware_windows_possible: Ransomware indicators detected (possible ransom window creation)

T1490 vssadmin_delete_shadows: Attempt to delete volume shadow copies

Other

suricata_alert: Malicious traffic detected

ransomware_shadowcopy: Removes volume shadow copies

cryptolocker_wallpaper: Ransomware indicators detected (changes the desktop wallpaper file)

network_bind: Starts servers listening at None

dns_without_resolve: DNS query without a response

creates_suspended_process: Creates suspended process

access_recyclebin: Manipulation with recyclebin detected

suspicious_network_port: Performs TCP or UDP request to non-standard port

test_check_service: Starts services

checktokenmembership: Checks user token with CheckTokenMembership call

writes_data: Writes big amount of data to disk

yara_rules: Static rules

Managed XDR