GandCrab Ransomware | VMRay Analyzer Report
Try VMRay Analyzer
| Creation Time | 2018-01-26 18:51 (UTC+1) |
| VM Analysis Duration Time | 00:10:27 |
| Execution Successful |
|
| Sample Filename | bi35.exe |
| Command Line Parameters |
|
| Prescript |
|
| Number of Processes | 13 |
| Termination Reason | Timeout |
| Reputation Enabled |
|
| Download | Archive Function Logfile Generic Logfile PCAP STIX/CybOX XML Summary JSON |
|
VTI Score
100 / 100
|
|
| VTI Database Version | 2.6 |
| VTI Rule Match Count | 24 |
| VTI Rule Type | Default (PE, ...) |
|
The maximum number of dumps was reached during the analysis. Some memory dumps may be missing in the reports. You can increase the limit in the configuration. |
|
|
The dump total size limit was reached during the analysis. Some memory dump may be missing in the reports. You can increase the limit in the configuration. |
|
|
The operating system was rebooted during the analysis. |
| ID | PID | Monitor Reason | Integrity Level | Image Name | Command Line | Origin ID |
|---|---|---|---|---|---|---|
| #1 | 0x478 | Analysis Target | High (Elevated) | bi35.exe | "C:\Users\CIiHmnxMn6Ps\Desktop\bi35.exe" | - |
| #2 | 0xdf0 | Child Process | High (Elevated) | nslookup.exe | nslookup gandcrab.bit a.dnspod.com | #1 |
| #4 | 0x79c | Autostart | Medium | tubcvd.exe | "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe" | - |
| #5 | 0xba8 | Child Process | Medium | nslookup.exe | nslookup gandcrab.bit a.dnspod.com | #4 |
| #7 | 0x788 | Child Process | Medium | nslookup.exe | nslookup gandcrab.bit a.dnspod.com | #4 |
| #9 | 0x784 | Child Process | High (Elevated) | wmic.exe | "C:\Windows\SysWOW64\wbem\wmic.exe" process call create "cmd /c start C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe" | #4 |
| #11 | 0x324 | RPC Server | System (Elevated) | svchost.exe | C:\Windows\system32\svchost.exe -k netsvcs | #9 |
| #12 | 0xab0 | RPC Server | System (Elevated) | wmiprvse.exe | C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | #11 |
| #13 | 0x2f0 | Child Process | High (Elevated) | cmd.exe | cmd /c start C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe | #12 |
| #15 | 0xa5c | Child Process | High (Elevated) | tubcvd.exe | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe | #13 |
| #16 | 0xaa8 | Child Process | High (Elevated) | nslookup.exe | nslookup gandcrab.bit a.dnspod.com | #15 |
| #18 | 0x924 | Child Process | High (Elevated) | nslookup.exe | nslookup gandcrab.bit a.dnspod.com | #15 |
| #20 | 0x190 | Child Process | High (Elevated) | wmic.exe | "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete | #15 |
| ID | #21000 |
| MD5 Hash Value | 2548e6fc9eb17e55d22dcfb4bf27212d |
| SHA1 Hash Value | 93dd44a5f16cedd2f4793bd8b9a19523d49fc9e8 |
| SHA256 Hash Value | 5d53050a1509bcc9d97552fa52c1105b51967f4ccf2bde717b502605db1b5011 |
| Filename | bi35.exe |
| File Size | 128.50 KB (131584 bytes) |
| File Type | Windows Exe (x86-32) |
| Analyzer Version | 2.2.0 |
| Analyzer Build Date | 2018-01-26 18:27 |
| Microsoft Office Version | 16.0.4266.1003 |
| Internet Explorer Version | 11.0.10240.16384 |
| Chrome Version | 58.0.3029.110 |
| Firefox Version | 53.0.3 |
| Flash Version | 25.0.0.148 |
| Java Version | 8.0.1310.11 |
| VM Name | win10_64 |
| VM Architecture | x86 64-bit |
| VM OS | Windows 10 Threshold 1 |
| VM Kernel Version | 10.0.10240.16384 (c68ee22f-dcf6-4778-95c5-4a862be16567) |
