Managed XDR

home-petik-shadowserve...9dbd5c80ccc3a_gandcrab (GandCrab) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
home-petik-shadowserver-malware-2024-05-12_d46e934bc17415209cf9dbd5c80ccc3a_gandcrab
Тип файла
PE32 executable (GUI) Intel 80386, for MS Windows
Размер файла
97.5 KB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x86 en

Хеши

SHA1
e442cc854a7e0e08d74c4e1d0bbcff680589f59a
SHA256
922b30991f3a97af5c78c0d8b67f1c2acaab49404a20c8efe0910dba92305b42
MD5
d46e934bc17415209cf9dbd5c80ccc3a

Вредоносное ПО

  • GandCrab

Сигнатуры

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.001 antivm_generic_cpu: Checks the CPU name, possibly for anti-virtualization
T1497.001 antivm_disk_size: Checks the amount of free disk space
T1562 registry_hide_tracing: Modifies File/Console tracing settings (often used to hide iocs from the system)
T1070 stealth_window: A process created a hidden window
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
T1497.001 antivm_queries_computername: Retrieves the computer name
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files

Discovery

T1497.001 antivm_generic_cpu: Checks the CPU name, possibly for anti-virtualization
T1497.001 antivm_disk_size: Checks the amount of free disk space
T1057 process_interest: Enumerates processes
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
T1497.001 antivm_queries_computername: Retrieves the computer name

Collection

T1113 screenshot_file: Possibly, makes a screenshot and saves it to a file

Command and Control

T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Impact

T1486 ransomware_windows_possible: Ransomware indicators detected (possible ransom window creation)
T1490 vssadmin_delete_shadows: Attempt to delete volume shadow copies

Other

yara_rules: Static rules
suricata_alert: Malicious traffic detected
ransomware_shadowcopy: Removes volume shadow copies
cryptolocker_wallpaper: Ransomware indicators detected (changes the desktop wallpaper file)
dns_without_resolve: DNS query without a response
unexpected_exception: Unexpected exception
create_rpc_bindings: Creates RPC connection
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services

Похожие отчёты