2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe

General
Target

2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe

Size

656KB

Sample

211020-ly8njaghc2

Score
10 /10
MD5

538d23ef01426d1157fa1137471a5cf7

SHA1

ab553df2bb4f7f8d98cc39ac773aaaa1c7ca110f

SHA256

af8e74d00babaae01b6f3b137cff7b6a6951456c66ffa95122695dad6c7b41a9

SHA512

9df42f3c39a8982bc77c82010509c3e98cc56c2d71c6f5f20274c0fbde17c58607d9579877983e2239d30fd60be14402b2b9e3d9295168a3cc8d31ac8f4a1111

Malware Config

Extracted

Path C:\KSPREIW-MANUAL.txt
Family gandcrab
Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KSPREIW The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/9dd5ac38f623035 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAANIit1arAsJBGWadVuSJMdHbghSpRBX+r21M/fDl0YqRs3GtaR4Ir4t4w1gC4CPncgafDMeqAF65VfUpPCuZ/boSmieCrLKpDIapDyHFERpOkjlSbYQpOwAxLStwBMBulsDjHmpKuaHEusBqHOMLtLBpkQmCu9w0VAAzKUFP0DWi3les5yYrCWr4/EwsNHY+sOCFsRqZFwWgXXxagusGYTThOTcyRyY6GsrtRk7zGBU/kJo1nBvuzgepFKhuoT4zz1ub82leLSuG/+sUK2IzQtW41SIinyZqbomsRKtAsCZQ9f4YUgE2ehs2ZX4OXRDa5pIeInyI2XYZ8JBpXqnqoz5x9McQUucZ07bixTcuqd4Cme8WHu8kPV3nvhwDjBFoZTojSGI+AJmSuA848F+wVzco7bengZthkVB0l6+mZEDy5lLoY8OP5Pss8ze1rueSWMddS9DdjO1nOaTVqtijw5DFbPQmLwUy5XNYOxoRw6CO/36V+SewLMNbhD26anOslQYVj6ryUYxuMiil/8mr7Mqmw/dXUmTXriM3f93wqG8ush36dhtElyzMEADo4xPf3fr9I9yIkkeglY2QByxvdw01sbvVVIEHCVgX38tddan2yaOCBqZmFp4xMl8lqnIIC6VIG8wsTvkI04hInPQum1XEDI3QqoX6Zo2PFyxemEyooHQsrh/9j8eAddV4oceb2N8KDTt6W4GwTKbU3gpNW3We3lfIUS/tyd0g5QxhPozjrj/UkqVhmcipUGF09BPZc0o6hl8viEoZTwIQD/UmTnqUSilFq0OCT4rKncNBcIs9YDJL1YW0DpvnH2LnkI/Kqq5ZS4L2VCu0PRmx8IQIcKAPVOu07bXFdhr/JMpJPGiXnWclO/ZfQ0uaP/8CZ2WuAjtVhGEO2lGcE4RJDJisFmm2utKDZ7iPN4fSfXEHH7JAhjqF2hMTugnHzbOS623D4BehCns2CoePojx7RCgOxPpG+HcgpeYVarowwfwbGxVSB6ma3sLuEfkmqvCKLtHyHgzikRuGE5B1337MeI3dJAqzJWIj/rqKmo5T3GWn4WQ2erbVh+qy3ZIFJXsBUDiScCQvIEv6wiRPHoCnRXZoDVkk3CYpTxbt8RQZ9ZtsR7sc5nQOKwaf7QyMWDgbwGfU6XiLTjpac6WzMZDI6IsGuInValsBw4CQ4vpGFB/raizVVPu0beH2VB4dQ1oBtUHrbuI5bGACmQrGCQruuMi928UQLpHPE4pwpCvEfxdn8w80dU7oAfQM05j1uAR+u6AYZgZxqm7/tYtUN0hpbP4JZ/0FeMJrvXHy0Ltxb3D69g/gETmfJy2r6S54ENj8AM83m0H23q1hNg2tnVWjbsHXz2raxoDe7vAkCY0njRW8+3OX2rKRxgPiZ7uwYpSi78u6ZVS1NxJcyO4q+nOKuTczWFx+tZce0gjP3uqPNrqVvyj2gYtM5DQIYw0LvuKQ7ulxNTQTK9UuQkfJ1N21GvHY9IsqYww/TK1ZaPWYbFsBcgehOT0QP8qWlP6qQg0CnHga7JpbKSQVX+X2cUJVhFpM8vf5S3Dev6FIlzbPjeuKulMYjCDXqNtL02ObTGaJ0V4qt8jEngi8+yvE2//L5z/9caMxa+P0pb4totR0hrOomyciAr6wS795d4q2Z1mnlIr7Iy1nL7ZjlDPmgyqVhq2wLjlUqNwM5fxr5jcr5jlWa5tXv9HK1opB9Q/Y8isUmEyTixuv20RnclbcJjdjLjX7EuJfIrCdzkMhZ4SAVhSZ/H4Z/sDj0iMDtU3hod0KcJMO2eBXEJPKg+p2Kkvju2X67R1/kUn3B0ZcGJ1eMo7lzBQhh1WuN95+Qz/MsjN87bB7Dwb2gnjAr1U6693idYd8dyRoKvBNT3EiLqXY2C0Dpo2Dk3AvldQiPtdZ3juD16dMEGp1zI6fE/o5gSSx2nnL/o+wPFMxMtbh0mPml+BzFeC5/XByGLbWs89gbw5v1A0+OOS6gZ/MPKmubTRl3za6tR8nAfWkH1L2AocqeBcCVmnvcqKfwFNVYCL9rYi/uBlgxCiBGVcz7I2jJj+Z8+IO31hs5abrJak/11OHT3TL+bp2qnwmnuee8EX+Uev9PoRONGbW1IXNaHXQu8AB7P0ZNmLWLPduGKd7wNaHuOWdfhOdhbFfnIB9ypnx9SmJXeSkT7ngWvcXkOcwiiNJwrM88AEo8kZPE0k2GQDPv+EuhqIxJkIRc+8mSTpYRpd+CsQ98rT+gws= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDs9M/JL5DWAuiVveDZRWXIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNxjWLwyoIX95yRHFXKdMI+BkVChenio/1q0nJSZoF9ASQvO7zBnmOH7+ICDGAMpA6ikRWoVdffN00xSVyCWtLmJddBbBiJqrMY9R+C3MrHJmcKR1EfUP43y8fMWLL7jL6Obr2BWwOYITy/J3fayLzJ0v/eISzKziqAuoTvFrp2NPDax/ChAud3oN1oI6iuVzemsqBxvZrwArtoypS8R1aOlCzmc7qd4A+wugXqwckyKb/0f4NwELWWjqbjVwFTi8zPJKLqg0o3dWOf+twlLvHCigIFeEudEtyMvAIvhltRRIBf1D0HFyeWMPZ1Z1lc/pOQ= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/9dd5ac38f623035

Targets
Target

2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe

MD5

538d23ef01426d1157fa1137471a5cf7

Filesize

656KB

Score
10/10
SHA1

ab553df2bb4f7f8d98cc39ac773aaaa1c7ca110f

SHA256

af8e74d00babaae01b6f3b137cff7b6a6951456c66ffa95122695dad6c7b41a9

SHA512

9df42f3c39a8982bc77c82010509c3e98cc56c2d71c6f5f20274c0fbde17c58607d9579877983e2239d30fd60be14402b2b9e3d9295168a3cc8d31ac8f4a1111

Tags

Signatures

  • Gandcrab

    Description

    Gandcrab is a Trojan horse that encrypts files on a computer.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Drops startup file

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    DefacementModify Registry

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Initial Access
          Lateral Movement
            Persistence
              Privilege Escalation
                Tasks

                static1