2.9
中危
DACN
0.14
FACILE
1.00
IMCLNet
0.66
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | Ransom:Win32/GandCrypt.7281bef3 | 20190527 | 0.3.0.5 |
| Avast | Win32:RansomX-gen [Ransom] | 20200226 | 18.4.3895.0 |
| Baidu | None | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (W) | 20190702 | 1.0 |
| Kingsoft | None | 20200224 | 2013.8.14.323 |
| McAfee | GenericRXDY-EJ!7984D66E8BED | 20200224 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b3ec3c | 20200224 | 1.0.0.1 |
静态指标
查询计算机名称
(1 个事件)
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1727545271.343375 GetComputerNameW |
computer_name:
TU-PC
|
success | 1 | 0 |
使用Windows API生成加密密钥
(3 个事件)
检查系统中的内存量,这可以用于检测可用内存较少的虚拟机
(6 个事件)
动态指标
解析可疑的顶级域名(TLD)
(1 个事件)
| domain | dns1.soprodns.ru | description | 俄罗斯联邦域名 TLD | ||||||
分配可读-可写-可执行内存(通常用于自解压)
(15 个事件)
查询磁盘大小,可用于检测具有小固定大小或动态分配的虚拟机
(1 个事件)
在文件系统上创建可执行文件
(1 个事件)
| file | C:\Users\Administrator\AppData\Roaming\Microsoft\oaydiq.exe |
将可执行文件投放到用户的 AppData 文件夹
(1 个事件)
| file | C:\Users\Administrator\AppData\Roaming\Microsoft\oaydiq.exe |
检查适配器地址以检测虚拟网络接口
(6 个事件)
使用 Windows 工具进行基本 Windows 功能
(3 个事件)
| cmdline | nslookup gandcrab.bit dns1.soprodns.ru |
| cmdline | nslookup emsisoft.bit dns1.soprodns.ru |
| cmdline | nslookup nomoreransom.bit dns1.soprodns.ru |
网络通信
与未执行 DNS 查询的主机进行通信
(2 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
在 Windows 启动时自我安装以实现自动运行
(1 个事件)
| reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\nvojjbofgww | reg_value | "C:\Users\Administrator\AppData\Roaming\Microsoft\oaydiq.exe" | ||||||
文件已被 VirusTotal 上 66 个反病毒引擎识别为恶意
(50 out of 66 个事件)
| ALYac | Generic.Ransom.GandCrab.D438DF84 |
| APEX | Malicious |
| AVG | Win32:RansomX-gen [Ransom] |
| Acronis | suspicious |
| Ad-Aware | Generic.Ransom.GandCrab.D438DF84 |
| AhnLab-V3 | Trojan/Win32.Gandcrab.R224767 |
| Alibaba | Ransom:Win32/GandCrypt.7281bef3 |
| Antiy-AVL | Trojan/Win32.AGeneric |
| Arcabit | Generic.Ransom.GandCrab.D438DF84 |
| Avast | Win32:RansomX-gen [Ransom] |
| Avira | TR/Crypt.XPACK.Gen3 |
| BitDefender | Generic.Ransom.GandCrab.D438DF84 |
| BitDefenderTheta | Gen:NN.ZexaF.34090.eyW@aWlel8fi |
| Bkav | W32.AIDetectVM.malware |
| CAT-QuickHeal | Trojan.Mauvaise.SL1 |
| ClamAV | Win.Ransomware.Gandcrab-6502432-0 |
| Comodo | TrojWare.Win32.Ransom.GandCrab.B@7kn2ff |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.e8bedd |
| Cylance | Unsafe |
| Cyren | W32/S-4af35050!Eldorado |
| DrWeb | Trojan.Encoder.27154 |
| ESET-NOD32 | a variant of Win32/Filecoder.GandCrab.B |
| Emsisoft | Trojan.Agent (A) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/S-4af35050!Eldorado |
| F-Secure | Trojan.TR/Crypt.XPACK.Gen3 |
| FireEye | Generic.mg.7984d66e8bedda27 |
| Fortinet | W32/GandCrab.B!tr.ransom |
| GData | Win32.Trojan-Ransom.GandCrab.C |
| Ikarus | Trojan-Ransom.GandCrab |
| Invincea | heuristic |
| Jiangmin | Trojan.Generic.bzloj |
| K7AntiVirus | Trojan ( 0053d33d1 ) |
| K7GW | Trojan ( 005261921 ) |
| Kaspersky | Trojan-Ransom.Win32.GandCrypt.jes |
| Lionic | Trojan.Win32.GandCrypt.H!e |
| MAX | malware (ai score=86) |
| Malwarebytes | Ransom.GandCrab |
| MaxSecure | Trojan.Malware.300983.susgen |
| McAfee | GenericRXDY-EJ!7984D66E8BED |
| McAfee-GW-Edition | BehavesLike.Win32.Generic.lh |
| MicroWorld-eScan | Generic.Ransom.GandCrab.D438DF84 |
| Microsoft | Ransom:Win32/GandCrab.E |
| NANO-Antivirus | Trojan.Win32.Encoder.eykzmb |
| Paloalto | generic.ml |
| Panda | Trj/GdSda.A |
| Qihoo-360 | Win32/Trojan.Ransom.GandCrab.F |
| Rising | Ransom.GandCrab!1.B8D6 (CLOUD) |
| SUPERAntiSpyware | Ransom.GandCrab/Variant |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2018-02-04 02:58:37
PE Imphash
40306b615af659fc1f93cfb121cc38d9
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x00008000 | 0x00008000 | 6.296861858288883 |
| .rdata | 0x00009000 | 0x00009000 | 0x00008600 | 6.1322099086141595 |
| .data | 0x00012000 | 0x00001000 | 0x00000c00 | 3.450195070880191 |
| .CRT | 0x00013000 | 0x00001000 | 0x00000200 | 0.06116285224115448 |
| .rsrc | 0x00014000 | 0x00001000 | 0x00000200 | 4.710061382693063 |
| .reloc | 0x00015000 | 0x00001000 | 0x00000c00 | 6.434410350416442 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_MANIFEST | 0x00014060 | 0x0000017d | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library KERNEL32.dll:
• 0x409058 SetFilePointer
• 0x40905c GetFileAttributesW
• 0x409060 ReadFile
• 0x409064 GetLastError
• 0x409068 MoveFileW
• 0x40906c lstrcpyW
• 0x409070 SetFileAttributesW
• 0x409074 CreateMutexW
• 0x409078 GetDriveTypeW
• 0x40907c VerSetConditionMask
• 0x409080 WaitForSingleObject
• 0x409084 GetTickCount
• 0x409088 InitializeCriticalSection
• 0x40908c OpenProcess
• 0x409090 GetSystemDirectoryW
• 0x409094 TerminateThread
• 0x409098 Sleep
• 0x40909c TerminateProcess
• 0x4090a0 VerifyVersionInfoW
• 0x4090a4 WaitForMultipleObjects
• 0x4090a8 DeleteCriticalSection
• 0x4090ac ExpandEnvironmentStringsW
• 0x4090b0 lstrlenW
• 0x4090b4 SetHandleInformation
• 0x4090b8 lstrcatA
• 0x4090bc MultiByteToWideChar
• 0x4090c0 CreatePipe
• 0x4090c4 lstrcmpiA
• 0x4090c8 Process32NextW
• 0x4090cc CreateToolhelp32Snapshot
• 0x4090d0 LeaveCriticalSection
• 0x4090d4 EnterCriticalSection
• 0x4090d8 FindFirstFileW
• 0x4090dc lstrcmpW
• 0x4090e0 FindClose
• 0x4090e4 FindNextFileW
• 0x4090e8 GetNativeSystemInfo
• 0x4090ec GetComputerNameW
• 0x4090f0 GetDiskFreeSpaceW
• 0x4090f4 GetWindowsDirectoryW
• 0x4090f8 GetVolumeInformationW
• 0x4090fc LoadLibraryA
• 0x409100 lstrcmpiW
• 0x409104 VirtualFree
• 0x409108 CreateThread
• 0x40910c CloseHandle
• 0x409110 lstrcatW
• 0x409114 CreateFileMappingW
• 0x409118 ExitThread
• 0x40911c CreateFileW
• 0x409120 GetModuleFileNameW
• 0x409124 WriteFile
• 0x409128 GetModuleHandleW
• 0x40912c UnmapViewOfFile
• 0x409130 MapViewOfFile
• 0x409134 GetFileSize
• 0x409138 GetEnvironmentVariableW
• 0x40913c lstrcpyA
• 0x409140 GetModuleHandleA
• 0x409144 VirtualAlloc
• 0x409148 Process32FirstW
• 0x40914c GetTempPathW
• 0x409150 GetProcAddress
• 0x409154 GetProcessHeap
• 0x409158 HeapFree
• 0x40915c HeapAlloc
• 0x409160 lstrlenA
• 0x409164 CreateProcessW
• 0x409168 ExitProcess
• 0x40916c IsProcessorFeaturePresent
Library USER32.dll:
• 0x409190 wsprintfW
• 0x409194 TranslateMessage
• 0x409198 RegisterClassExW
• 0x40919c LoadIconW
• 0x4091a0 SetWindowLongW
• 0x4091a4 EndPaint
• 0x4091a8 BeginPaint
• 0x4091ac LoadCursorW
• 0x4091b0 GetMessageW
• 0x4091b4 ShowWindow
• 0x4091b8 CreateWindowExW
• 0x4091bc SendMessageW
• 0x4091c0 DispatchMessageW
• 0x4091c4 DefWindowProcW
• 0x4091c8 UpdateWindow
• 0x4091cc GetForegroundWindow
• 0x4091d0 DestroyWindow
Library GDI32.dll:
• 0x409050 TextOutW
Library ADVAPI32.dll:
• 0x409000 CryptExportKey
• 0x409004 AllocateAndInitializeSid
• 0x409008 RegSetValueExW
• 0x40900c RegCreateKeyExW
• 0x409010 RegCloseKey
• 0x409014 CryptAcquireContextW
• 0x409018 CryptGetKeyParam
• 0x40901c CryptReleaseContext
• 0x409020 CryptImportKey
• 0x409024 CryptEncrypt
• 0x409028 CryptGenKey
• 0x40902c CryptDestroyKey
• 0x409030 GetUserNameW
• 0x409034 RegQueryValueExW
• 0x409038 RegOpenKeyExW
• 0x40903c FreeSid
Library SHELL32.dll:
• 0x409180 SHGetSpecialFolderPathW
• 0x409184 ShellExecuteExW
• 0x409188 ShellExecuteW
Library WININET.dll:
• 0x4091d8 InternetCloseHandle
• 0x4091dc HttpAddRequestHeadersW
• 0x4091e0 HttpSendRequestW
• 0x4091e4 InternetConnectW
• 0x4091e8 HttpOpenRequestW
• 0x4091ec InternetOpenW
• 0x4091f0 InternetReadFile
L!This /rLm cannot be run in DOS mode.
4.Rich
`.rdata
@.rsrc
@.reloc
UQSVWj
3_^[]j
W_^[]U
^[]^3[]U
SVWj@h
fD$$QD$
U\SV3D$
fD$,D$
D$DP,@
D$TD$X
t$PD$\D$`
D$dD$8P
_^]SEPuW
[_3^]h
^]U$SV3Ek
]U\SV3Es
fE_^[u(Mu
<}tK<=tBF>
<}t)F<=t
UQSV3WE33p
[]_^[]VWy
GFu33;_
GFu33;_
HthHuo
<}tcG<=t
EPWuu(
MPEPPEP]
U_^[]UE
E F$E(F0E0F<E8FHE@FTEPFtEXF
PPRPRPRPj#
PD$ D$$i
VD$TD$Tp
_^[]jw8
D$8f|$8P
FFPh@h@
GfZvjj
D$P\$$
W|$,t$ D$03D$
r]K\$(
T$4T$$L$
L$(T$$;s
D$D\$@
s(SV`@
BNu^[=
3VL$dl(
\$$D$,m
D$DD$0w
fL$@D$Ds
f|$ D$h/
L$h)L$
FK$'rt$
V_^[]3<
EPMQUREPMN
u4MQUREPU
]U\VjDE
FGuh8@
SVUMWj
GFu_^[t
]ULSVW3En
t6SEPV
3_^[]h8@
_^3[]UDf
ESVW=D@
EemsiEsoftE.bitE
EgandEcrabE.bitE
33DFE3
_^[]V5D@
t'Whp@
SVUWPE
33EVVPWj
t(MAQSjVj
SVWj@h
EtPpNWu
UWM]d$
uP|PhP
|PSM<%
SVWj@h
u_^[]U
L$(|$,
D$$D$$PQh
6D$$D$$PWh
Wt$(j@Bh
t$(D$$D$
L$@<GW
PVjt$ j
D$<L$J
PPT$4$
D$$D$$PWh
t$(3HL$
SVW3Uh
u_^[]U
U3M39]
r_^[]U
E]UQMEM
E]SVWj@h
_^[SV5@
ft?+ft
fu[_3^
SVWj@h
_^[]UQSVWj@h
_^[]Uh
_^3[]U0SWj@h
D$@D$D
3_fLF^[]
SVW39 t
^[_^[UQVEPh
SVW=D@
F t=Qh
EF8EPh
EFPEPh
umMEPQj
3fEEPv|t\
EPEPEPEPEP
v|uN|uh
N|3fTA
ULSV5D@
33WPMM
3PPPPfE$
_^[]U<SVWF
PfEEjPWEs
KPSVWE
E_^[],
Vft;+ft
fu^_3[^_[SVW
GFu_^3[
_^[UdSVWh
AafDMA
EECrypPEtGenERandfEomE
EAdvaEpi32E.dllE
_^3[]U8SVWh
3MWWEP]
EECrypPEtGenERandfEomE
EAdvaEpi32E.dllE
_^3[]U
MH$E3M
P0p4x8X<
MHDE3M
pTxXX\
MHdE3M
ptxxX|
on0v00f
on0v00f
on0v00f
DDDDDDDDDDDDDD
EMEineIE5ntel5*A
E5Genu
MMtCE%?
KuZ^%l@
vwv$v2
vFvFv.Av
xv}vBv2vA
v)vyv{xv%
wY5v #vUv
u,IuBJuu
cc||ww{{
kkooT`00P
ggV++}
bMvvE @}}
Ag_E#Srr[u
=L&&jl66Z~??A
Oh44\Q4
qqsb11S*
RF##e^0
=&N''i
-nnZZ[RRv;;Ma}R)){>^//q
,@ ` y
[[jjFgr99KJJ
XXJk*O
MMf33U
PPx<<D%KQQ]@@
?!p88H
cwuB!!c
5/__5DD.
9WU~~z==Gdd]]2
D""fT**~;
v;d22Vt::N
H$$l\\]nCbb917yy2Cn77Ymm
dNNIllVV
%eezzG
oxxJ%%o\..r8
Q#|tt> !KKa
pp|>>BqffHH
aaj55_WWi
IUUP((xz
e1BBhhAA)Z--w
:cc||ww{{
kkooTP`00
gg}V++
Ag_E#Srr[u
=jL&&Zl66A~??
O\h44Q4
qqsSb11?*
ReF##^(0
=&iN''
tX,,.4
nnZZ[RRMv;;a}{R))>q^//
,`@ y[[jjFgKr99
LLXXJk*O
MMUf33
PPDx<<%KQQ]@@
?!Hp88
cwucB!!0
WU~~Gz==dd]]+2
fD""~T**;
FF)k<(
v;Vd22Nt::
lH$$\\]nCbb917yy2CYn77mm
NNIllVV
%eezzG
oxxoJ%%r\..$8
tt!>
ppB|>>qff
aa_j55WWi
IUUxP((z
AA)wZ--
{TTm:,
cc||ww{{
kkooT0P`0
gg+}V+
_E#Srr[u
=&jL&6Zl6?A~?
O4\h4Q4
qqs1Sb1
R#eF#^
=&'iN'
nnZZ[RR;Mv;a
}){R)>/q^/
, `@ y[[jjF
g9Kr9J
LXXJk*O
PP<Dx<%KQQ]@@
?!8Hp8
cwu!cB!
U~~=Gz=dd]]
"fD"*~T*;
v;2Vd2:Nt:
$lH$\\]n
Cbb917yy2C7Yn7mm
NIllVV
%eezzG
oxx%oJ%.r\.
WsQ#|tt !> K
pp>B|>qffH
aa5_j5WWi
IUU(xP(z
A)-wZ-
cc||ww{{
kkooT00P`
gg++}V
bMvvE @}}
Ag_E#Srr[u
=&&jL66Zl??A~
O44\hQ4
qqs11Sb
R##eF^
=&''iN
-6nnZZ
[RR;;Mva})){R>//q^
, `@
y[[jjFg99KrJJ
PP<<Dx%KQQ
?!88Hp
cwu!!cB
9.WU~~==Gzdd]]
+2ss``
""fD**~T;
v;22Vd::Nt
$$lH\\]nCbb
917yy2C77Ynmm
%eezzG
oxx%%oJ..r\
$8WsQ#|tt !>KK
pp>>B|qffHH
aa55_jWWi
IUU((xPz
QP~AeS
:'^;k EXK
0Uvmv
L%O*&5Db
-Xt!Ii)Du
jyxX>k'q
f}:cJ
1Q3`bS
+pHhXE
lR{s#rK
WfU*(
dh\![T$6.:
Oa ZwKi
&\rDf;[~4C)v#
V},"3IN8
&?,:Px
}cn;{&x
)|1*?#1
05ftN7
zG<YUs?
ys7S_[=o
h>8$4,
a2pHl\t
WBPQS~Ae
:'^;k EXK
U 0vmv%
Xt!)IiDju
xykX>'qO
1`Q3EbS
ElR{#srK
='6-9d
[T:$6.
a iZwK
&\rDf;4[~vC)#hc1
?V},"3
Pxj_bT~F
)|11*?#0
<zGY?Usy
>h,8$4_
p2tHl\B
WPQeS~A
^:'k;E X
KU 0mvvL%
O*D&5bZI
!Xti)ID
juyx>kXq'O
EbSwdk
ElR{#s
rKW *fU(
=9'6-d
[.:$6g
O aKiZw
\r;Df~4[)vC#hc1
,V}"3N
j_FbT~
|)1#1*?0
vMMCMT
<zGYs?Uy
7sS[_o
>h4,8$@_
p2\tHlWB
PQAeS~
'^:k;E X
K0U vmv
L%O*5D&bZI
-t!Xi)ID
juyxX>kq'O
+HhXpE
l{Rs#K
r WU*f(
O awKiZ
&r\f;D~4[C)v#hc1c
J$}=2
},V3"IN
cn;{&x
|)1?#1*0
G<zYs?U
7sS[_=o
xh>$4,8@_
a{2pl\tHWBR
8$4,6-9'$6.:*?#1pHhX~AeSlZrNbS
EHl\tFeQ
T~FbZwKi
;{2p)m f W
Js#z(a5h>W
;k5f'q)|
s7}:o-a vm
`dwmzRY
&MFCMQP_[u
dVNi@`R{\r
>!0("3,:
necntsyx
MTAO]Sywek1?-#
ZX>kQ3`J$}C)v4b =o
A.al{vUXOB
'*zG<tN7fU*h\!Bc
y2+H<"C.9^ 0U
0YRODu~ch
p4.S:'^(<I&5D|B
Df;Jo6Xt!V},7
/KGd"Ii)[~4Us?
ypkb]TOF
,8$4'6-9:$6.1*?#XpHhS~AeNlZrEbS
FeQbT~FiZwK
{;p2m)f W \
#s(z5a>h
L;k5f'q)|
s7}:o-a vm
&FMMCPQ[_ju
dVNi@`R{\r
>!0("3,:=
%enncstxyI
MAO]Sywek1?-#
kX>`Q3}J$vC) 4b
Aal{vUXOB
'*<zG7tN*fU!h\
H2+C<"^.9U 0
YRODu~ch
p4.S:'^(<I&5D|B
Df;Jo6Xt!V},z7
/"Gd)Ii4[~?Us
mG18#*
ypkb]TOF
4,8$9'6-.:$6#1*?hXpHeS~ArNlZ
EbS\tHlQ
FeFbT~KiZw
{;p2m)f W \
#s(z5a>h
Lk;f5q'|)_
Y7s:}-o amv`
FMMCPQ[_ju
j_dVNi@`R{\r
>!0("3,:
necntsyxZI
AO]Sywek
Zg>kX3`Q$}J)vCb 4o
al{vUXOB
*<zG7tN*fU!h\
H2+C<"^.9U 0
YRODu~chg
S4.^:'I(<D&5
nY;Df6Jo!Xt,V}
d"Gi)I~4[s?UP
ypkb]TOF
$4,8-9'66.:$?#1*HhXpAeS~ZrNlS
Ebl\tHeQ
F~FbTwKiZ
;{2p)m f W
Js#z(a5h>W
k;f5q'|)_
Y7s:}-o avm
`dwmzRY
&FMMCPQ[_
jVdiN`@{Rr\
!>(03":,
necntsyxZI
MTAO]Sywek1?-#
ZX>kQ3`J$}C)v4b =o
A.al{vUXOB
*G<zN7tU*f\!hc
+H2"C<9^.0U
0YRODu~ch
.S4'^:<I(5D&B
nf;Do6Jt!X},V
d"Gi)I~4[s?UP
ypkb]TOFA
pub_key
DELETE}
{DELETE}
advapi32.dll
CheckTokenMembership
Address:
fabian wosar <3
Can't find server
aeriedjD#shasj
*******************
RtlComputeCrc32
GandCrabGandCrabnomoreransom.bit|
ExitProcess
lstrlenA
HeapAlloc
HeapFree
GetProcessHeap
GetProcAddress
VirtualAlloc
GetModuleHandleA
lstrcpyA
GetEnvironmentVariableW
GetFileSize
MapViewOfFile
UnmapViewOfFile
GetModuleHandleW
WriteFile
GetModuleFileNameW
CreateFileW
ExitThread
lstrlenW
GetTempPathW
CreateFileMappingW
lstrcatW
CloseHandle
CreateThread
VirtualFree
lstrcmpiW
lstrcmpiA
SetFilePointer
GetFileAttributesW
ReadFile
GetLastError
MoveFileW
lstrcpyW
SetFileAttributesW
CreateMutexW
GetDriveTypeW
VerSetConditionMask
WaitForSingleObject
GetTickCount
InitializeCriticalSection
OpenProcess
GetSystemDirectoryW
TerminateThread
TerminateProcess
VerifyVersionInfoW
WaitForMultipleObjects
DeleteCriticalSection
ExpandEnvironmentStringsW
CreateProcessW
SetHandleInformation
lstrcatA
MultiByteToWideChar
CreatePipe
Process32FirstW
Process32NextW
CreateToolhelp32Snapshot
LeaveCriticalSection
EnterCriticalSection
FindFirstFileW
lstrcmpW
FindClose
FindNextFileW
GetNativeSystemInfo
GetComputerNameW
GetDiskFreeSpaceW
GetWindowsDirectoryW
GetVolumeInformationW
LoadLibraryA
KERNEL32.dll
DispatchMessageW
DefWindowProcW
UpdateWindow
SendMessageW
CreateWindowExW
ShowWindow
SetWindowLongW
LoadIconW
RegisterClassExW
TranslateMessage
wsprintfW
BeginPaint
LoadCursorW
GetMessageW
DestroyWindow
EndPaint
GetForegroundWindow
USER32.dll
TextOutW
GDI32.dll
RegCloseKey
RegCreateKeyExW
RegSetValueExW
AllocateAndInitializeSid
FreeSid
CryptExportKey
CryptAcquireContextW
CryptGetKeyParam
CryptReleaseContext
CryptImportKey
CryptEncrypt
CryptGenKey
CryptDestroyKey
GetUserNameW
RegQueryValueExW
RegOpenKeyExW
ADVAPI32.dll
ShellExecuteExW
ShellExecuteW
SHGetSpecialFolderPathW
SHELL32.dll
CryptStringToBinaryA
CryptBinaryToStringA
CRYPT32.dll
InternetOpenW
InternetReadFile
InternetConnectW
HttpSendRequestW
HttpAddRequestHeadersW
HttpOpenRequestW
InternetCloseHandle
WININET.dll
GetDeviceDriverBaseNameW
EnumDeviceDrivers
PSAPI.DLL
IsProcessorFeaturePresent
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
0000000000
1#1-171A1i1s1}111111111111
2:2D2N2X2b2l2v2222222222
3 3)333=3G3^3h3r3|3333333333
4/494C4M4W4g4q4{444444444
5(585B5L5V5~555555555555
6'6O6Y6c6m6w666666666666 7*747>7H7R7\7s7}7777777777
8#8-8D8N8X8b8l8|88888888888
9 9)939=9M9W9a9k99999999999
:(:2:<:d:n:x::::::::::::
;5;?;I;S;];g;q;;;;;;;;;;<<<<<<<<<
='=1=;=E=m=w============
>?>I>S>]>g>q>{>>>>>>>>>>
?%?/?9?C?M?e?o?y??????????
0 070A0K0U0_0o0y0000000000
1'111A1K1U1_111111111111
2'212Y2c2m2w222222222222
3+353?3I3S3]3g3
3333333333
4%4/494Q4[4e4o4y4444444444
5#5-575A5K5[5e5o5y5555555555
6-676A6K6s6}666666666666
7E7O7Y7c7m7w77777777777N8k8{88888
9D9M99:::::.;:;
;;;;;;;
<0<7<I<Z<b<<<<<<<<<
>0>U>[>j>w>>>>>>>>>>>>
?A?\?????
01111S2]2d2u2
22222:3A333444445
6(6Z6e6m666&7S77748\8888888-989p9x999
:#:1:8:H:N:::::::9;;O<
=-=B=H=====
>'>L>j>>>>?
0"0)030:0D0Q0k000
151A1I1Q1V11111111111122222
5%595555555
6W6_6g6o6w6
66666666666666666
7 7*757@7K7V7a7l7w7777777777
8&8-878L8e8888888
9p9999
:.:4:T:Z:|::::::::/;=;q;{;;;;
<i<<<<<
>&>+>1>;>U>g>>>>>>N?\?y????????
0(0-050=0g0m000000
1T11111111
2!222Q2`222222
3+3=3L3S3a333333
4 4,494D4l4s44444*5a555555
6?666666
77P888w9|9999999999
: :R:\:n:~:::
<======
>%>/>;>D>P>
0$000:0J0V0000000
1%1*1@1T1h1|111
232D2p2x222222222
3A3333 4F4444444
5&5-5U5s5~55555555
6/6W6^6e666666666%7+707G7q7~7777
8 808[8i8p8~8888
9%989=9M9\9e9{9999999
:,:::N:\:p:~::::::::
;";);7;E;X;i;w;;;;;;;;
< <6<A<W<b<x<<<<<<<<(=I=Y=h=q=====!>&>B>J>>>>>>>>B?b?m???????
0 0P0b0}00000000
1#1*11111
20292H2Z2_2s2~22222222
3 3&3-343S3[3
333 4*434<4R4^4f4r4}4444
5*5R5Y5`5g5n5u5|5555555555
6'6L6Q6Y6a6h6v666666&77
:4:a:k:u::::
;4;b;n;t;;
=g=u=====O>]>l>>>>>6?C?R?\?b??????
0 0g0n0~0000000$1+1;1H1s1z111111
2H2O2^2h2n22222
3$333=3C3333333
5+5956
7#7+7074787a77777777777
8 8$888888888
9A9H9L9P9T9X9\9`9d999999D;g;;;;;$<<<<<<<<
j�j�j�j�j�j�
@�@�@�@�@�@�
A�p�p�D�a�t�a�
\�M�i�c�r�o�s�o�f�t�\�
G�a�n�d�C�r�a�b�!�
w�i�n�3�2�a�p�p�
f�i�r�e�f�o�x�
r�a�n�s�o�m�_�i�d�
o�s�_�b�i�t�
o�s�_�m�a�j�o�r�
p�c�_�k�e�y�b�
p�c�_�l�a�n�g�
p�c�_�g�r�o�u�p�
p�c�_�n�a�m�e�
p�c�_�u�s�e�r�
r�a�n�s�o�m�_�i�d�=�
{�U�S�E�R�I�D�}�
G�l�o�b�a�l�\�
m�s�f�t�e�s�q�l�.�e�x�e�
s�q�l�a�g�e�n�t�.�e�x�e�
s�q�l�b�r�o�w�s�e�r�.�e�x�e�
s�q�l�s�e�r�v�r�.�e�x�e�
s�q�l�w�r�i�t�e�r�.�e�x�e�
o�r�a�c�l�e�.�e�x�e�
o�c�s�s�d�.�e�x�e�
d�b�s�n�m�p�.�e�x�e�
s�y�n�c�t�i�m�e�.�e�x�e�
m�y�d�e�s�k�t�o�p�q�o�s�.�e�x�e�
a�g�n�t�s�v�c�.�e�x�e�i�s�q�l�p�l�u�s�s�v�c�.�e�x�e�
x�f�s�s�v�c�c�o�n�.�e�x�e�
m�y�d�e�s�k�t�o�p�s�e�r�v�i�c�e�.�e�x�e�
o�c�a�u�t�o�u�p�d�s�.�e�x�e�
a�g�n�t�s�v�c�.�e�x�e�a�g�n�t�s�v�c�.�e�x�e�
a�g�n�t�s�v�c�.�e�x�e�e�n�c�s�v�c�.�e�x�e�
f�i�r�e�f�o�x�c�o�n�f�i�g�.�e�x�e�
t�b�i�r�d�c�o�n�f�i�g�.�e�x�e�
o�c�o�m�m�.�e�x�e�
m�y�s�q�l�d�.�e�x�e�
m�y�s�q�l�d�-�n�t�.�e�x�e�
m�y�s�q�l�d�-�o�p�t�.�e�x�e�
d�b�e�n�g�5�0�.�e�x�e�
s�q�b�c�o�r�e�s�e�r�v�i�c�e�.�e�x�e�
e�x�c�e�l�.�e�x�e�
i�n�f�o�p�a�t�h�.�e�x�e�
m�s�a�c�c�e�s�s�.�e�x�e�
m�s�p�u�b�.�e�x�e�
o�n�e�n�o�t�e�.�e�x�e�
o�u�t�l�o�o�k�.�e�x�e�
p�o�w�e�r�p�n�t�.�e�x�e�
s�t�e�a�m�.�e�x�e�
t�h�e�b�a�t�.�e�x�e�
t�h�e�b�a�t�6�4�.�e�x�e�
t�h�u�n�d�e�r�b�i�r�d�.�e�x�e�
v�i�s�i�o�.�e�x�e�
w�i�n�w�o�r�d�.�e�x�e�
w�o�r�d�p�a�d�.�e�x�e�
/�c� �t�i�m�e�o�u�t� �-�c� �5� �&� �d�e�l� �"�%�s�"� �/�f� �/�q�
c�m�d�.�e�x�e�
C�o�n�t�e�n�t�-�T�y�p�e�:� �a�p�p�l�i�c�a�t�i�o�n�/�x�-�w�w�w�-�f�o�r�m�-�u�r�l�e�n�c�o�d�e�d�
c�u�r�l�.�p�h�p�?�t�o�k�e�n�=�
a�c�t�i�o�n�=�r�e�s�u�l�t�&�e�_�f�i�l�e�s�=�%�d�&�e�_�s�i�z�e�=�%�I�6�4�u�&�e�_�t�i�m�e�=�%�d�&�
a�c�t�i�o�n�=�c�a�l�l�&�
&�p�u�b�_�k�e�y�=�
&�p�r�i�v�_�k�e�y�=�
&�v�e�r�s�i�o�n�=�2�.�1�
M�i�c�r�o�s�o�f�t� �E�n�h�a�n�c�e�d� �C�r�y�p�t�o�g�r�a�p�h�i�c� �P�r�o�v�i�d�e�r� �v�1�.�0�
\�P�r�o�g�r�a�m�D�a�t�a�\�
\�P�r�o�g�r�a�m� �F�i�l�e�s�\�
\�T�o�r� �B�r�o�w�s�e�r�\�
R�a�n�s�o�m�w�a�r�e�
\�A�l�l� �U�s�e�r�s�\�
\�L�o�c�a�l� �S�e�t�t�i�n�g�s�\�
d�e�s�k�t�o�p�.�i�n�i�
a�u�t�o�r�u�n�.�i�n�f�
n�t�u�s�e�r�.�d�a�t�
i�c�o�n�c�a�c�h�e�.�d�b�
b�o�o�t�s�e�c�t�.�b�a�k�
b�o�o�t�.�i�n�i�
n�t�u�s�e�r�.�d�a�t�.�l�o�g�
t�h�u�m�b�s�.�d�b�
G�D�C�B�-�D�E�C�R�Y�P�T�.�t�x�t�
%�s�\�G�D�C�B�-�D�E�C�R�Y�P�T�.�t�x�t�
i�p�v�4�b�o�t�.�w�h�a�t�i�s�m�y�i�p�a�d�d�r�e�s�s�.�c�o�m�
u�n�d�e�f�i�n�e�d�
D�o�m�a�i�n�
S�Y�S�T�E�M�\�C�u�r�r�e�n�t�C�o�n�t�r�o�l�S�e�t�\�s�e�r�v�i�c�e�s�\�T�c�p�i�p�\�P�a�r�a�m�e�t�e�r�s�
W�O�R�K�G�R�O�U�P�
L�o�c�a�l�e�N�a�m�e�
C�o�n�t�r�o�l� �P�a�n�e�l�\�I�n�t�e�r�n�a�t�i�o�n�a�l�
K�e�y�b�o�a�r�d� �L�a�y�o�u�t�\�P�r�e�l�o�a�d�
0�0�0�0�0�4�1�9�
p�r�o�d�u�c�t�N�a�m�e�
S�O�F�T�W�A�R�E�\�M�i�c�r�o�s�o�f�t�\�W�i�n�d�o�w�s� �N�T�\�C�u�r�r�e�n�t�V�e�r�s�i�o�n�
S�O�F�T�W�A�R�E�\�W�o�w�6�4�3�2�N�o�d�e�\�M�i�c�r�o�s�o�f�t�\�W�i�n�d�o�w�s� �N�T�\�C�u�r�r�e�n�t�V�e�r�s�i�o�n�
I�t�a�n�i�u�m�
U�n�k�n�o�w�n�
P�r�o�c�e�s�s�o�r�N�a�m�e�S�t�r�i�n�g�
H�A�R�D�W�A�R�E�\�D�E�S�C�R�I�P�T�I�O�N�\�S�y�s�t�e�m�\�C�e�n�t�r�a�l�P�r�o�c�e�s�s�o�r�\�0�
I�d�e�n�t�i�f�i�e�r�
2�n�t�d�l�l�.�d�l�l�
U�N�K�N�O�W�N�
N�O�_�R�O�O�T�_�D�I�R�
R�E�M�O�V�A�B�L�E�
R�E�M�O�T�E�
R�A�M�D�I�S�K�
%�I�6�4�u�/�
A�V�P�.�E�X�E�
e�k�r�n�.�e�x�e�
a�v�g�n�t�.�e�x�e�
a�s�h�D�i�s�p�.�e�x�e�
N�o�r�t�o�n�A�n�t�i�B�o�t�.�e�x�e�
M�c�s�h�i�e�l�d�.�e�x�e�
a�v�e�n�g�i�n�e�.�e�x�e�
c�m�d�a�g�e�n�t�.�e�x�e�
s�m�c�.�e�x�e�
p�e�r�s�f�w�.�e�x�e�
p�c�c�p�f�w�.�e�x�e�
f�s�g�u�i�e�x�e�.�e�x�e�
c�f�p�.�e�x�e�
m�s�m�p�e�n�g�.�e�x�e�
H�T�T�P�/�1�.�1�
Process Tree
-
001cb02bbaa5bdae2bad733d54b5b9cc6fd8a730560955bc244d4c33f3ac4f4a.exe (3012)
"C:\Users\Administrator\AppData\Local\Temp\001cb02bbaa5bdae2bad733d54b5b9cc6fd8a730560955bc244d4c33f3ac4f4a.exe"
- nslookup.exe (2656) nslookup nomoreransom.bit dns1.soprodns.ru
- nslookup.exe (856) nslookup gandcrab.bit dns1.soprodns.ru
- nslookup.exe (2328) nslookup emsisoft.bit dns1.soprodns.ru
- nslookup.exe (2512) nslookup gandcrab.bit dns1.soprodns.ru
- nslookup.exe (312) nslookup emsisoft.bit dns1.soprodns.ru
- nslookup.exe (2484) nslookup nomoreransom.bit dns1.soprodns.ru
001cb02bbaa5bdae2bad733d54b5b9cc6fd8a730560955bc244d4c33f3ac4f4a.exe, PID: 3012, Parent PID: 2236
default registry file network process services synchronisation iexplore office pdf
nslookup.exe, PID: 2656, Parent PID: 3012
default registry file network process services synchronisation iexplore office pdf
nslookup.exe, PID: 2328, Parent PID: 3012
default registry file network process services synchronisation iexplore office pdf
nslookup.exe, PID: 856, Parent PID: 3012
default registry file network process services synchronisation iexplore office pdf
nslookup.exe, PID: 2484, Parent PID: 3012
default registry file network process services synchronisation iexplore office pdf
Hosts
| IP |
|---|
| 114.114.114.114 |
| 8.8.8.8 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| ipv4bot.whatismyipaddress.com | ||
| dns1.soprodns.ru | ||
| 114.114.114.114.in-addr.arpa |
PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com |
|
| dns.msftncsi.com | A 131.107.255.255 | |
| nomoreransom.bit | ||
| nomoreransom.bit | ||
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | |
| emsisoft.bit | ||
| emsisoft.bit | ||
| gandcrab.bit | ||
| gandcrab.bit |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 65473 | 114.114.114.114 | 53 |
| 192.168.56.101 | 49642 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 56934 | 114.114.114.114 | 53 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
| 192.168.56.101 | 58486 | 114.114.114.114 | 53 |
| 192.168.56.101 | 58487 | 114.114.114.114 | 53 |
| 192.168.56.101 | 58488 | 114.114.114.114 | 53 |
| 192.168.56.101 | 58485 | 8.8.8.8 | 53 |
| 192.168.56.101 | 58489 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57665 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 57666 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57667 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57668 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57669 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57670 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57671 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57672 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57673 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57674 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57675 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57676 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57677 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57678 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57679 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57680 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57681 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57682 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57683 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57684 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57685 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57686 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57687 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57688 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57689 | 114.114.114.114 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | f4f39e040b97c8c6_oaydiq.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Roaming\Microsoft\oaydiq.exe |
| Size | 73.5KB |
| Processes | 3012 (001cb02bbaa5bdae2bad733d54b5b9cc6fd8a730560955bc244d4c33f3ac4f4a.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 7cf24c0052c582e43595834298b5b988 |
| SHA1 | 156b09b208b62a7a9872f8b3878e774695e3868b |
| SHA256 | f4f39e040b97c8c60ed633d79a7f42fb34e4a9dcb61974d1ba3978304dc2968d |
| CRC32 | 1869143F |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.