Managed XDR

home-petik-ss-malware-...8173d1c0_elex_gandcrab (GandCrab) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла: home-petik-ss-malware-2025-10-06_e85fdd90ac10e89c96ebbf598173d1c0_elex_gandcrab
Тип файла: PE32 executable (GUI) Intel 80386, for MS Windows
Размер файла: 98 KB
Первое обнаружение: 2025-10-06 13:03
Последнее обнаружение: 2025-10-06 13:03

Окружение

win7/x86 en

Хеши

SHA1: 0a7942ac832defb56be74226a62bbafdf5ae4c22
SHA256: fe0fe13dfd695b1f5384c3ba40b151a85570818e56e88ddbcd20d9da44ca6b84
MD5: e85fdd90ac10e89c96ebbf598173d1c0

Вредоносное ПО

GandCrab

Сигнатуры

Execution

T1047 has_wmi: Executes one or several WMI requests

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.001 antivm_generic_cpu: Checks the CPU name, possibly for anti-virtualization

T1497.001 antivm_disk_size: Checks the amount of free disk space

T1562 registry_hide_tracing: Modifies File/Console tracing settings (often used to hide iocs from the system)

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions

T1497.001 antivm_queries_computername: Retrieves the computer name

T1070 stealth_window: A process created a hidden window

Credential Access

T1552 cookie_files: Accesses cookie files

T1555.003 cookie_files: Accesses cookie files

Discovery

T1497.001 antivm_generic_cpu: Checks the CPU name, possibly for anti-virtualization

T1497.001 antivm_disk_size: Checks the amount of free disk space

T1057 process_interest: Enumerates processes

T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions

T1497.001 antivm_queries_computername: Retrieves the computer name

Collection

T1113 screenshot_file: Possibly, makes a screenshot and saves it to a file

Command and Control

T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Impact

T1486 ransomware_windows_possible: Ransomware indicators detected (possible ransom window creation)

T1490 vssadmin_delete_shadows: Attempt to delete volume shadow copies

Other

yara_rules: Static rules

suricata_alert: Malicious traffic detected

ransomware_shadowcopy: Removes volume shadow copies

cryptolocker_wallpaper: Ransomware indicators detected (changes the desktop wallpaper file)

dns_without_resolve: DNS query without a response

unexpected_exception: Unexpected exception

create_rpc_bindings: Creates RPC connection

get_policy_info: Retrieves information about a Policy object

test_check_service: Starts services