https://youtube.com

Target

https://youtube.com

Sample

211230-werk1sgbb8

Score

10 ^/10

Extracted

Path	C:\HJPEH-MANUAL.txt
Family	gandcrab
Ransom Note	---= GANDCRAB V5.2 =--- *********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED******************* *FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS*** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .HJPEH The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- \| 0. Download Tor browser - https://www.torproject.org/ \| 1. Install Tor browser \| 2. Open Tor Browser \| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/c51f259fdf60d9 \| 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAEKqxvD3Gx1Guix9gVoiOpOB1gjVPn1ARzd3Alfd+/jrY6QNPtf3naxp4HHiiMPF1oIueiHdXBcydeAhr7xnKw7LX1vIS/wFXJ3gy18wu+vO1mfzyF0Bq7wShmGclnWLbDJcR7oocEKVx5unSzXccG7fwh5xI9jNHWqdeSLisamlcOGEGqVYyqgFRhRJ4QQtkgeHLOuM49XvEeukxvWch/tBsv2KBUMVK1DOKwhw/7qZTAgLWSo5Cp8rn+hZfmVUeM9nyO+chkhS9xUQ+yYD/Z/vd30grAeu3XfeHuX8pwFwAYcvSHZVS7eNVTe5sKOtVAES0HInJb9JFs7/HlXHN7Pxoc9il5334QddU8c2qcogcVD6NYSJh50d/orBXNsro6TCHoOZFlcVm8zWGjLPkMnic3qNx/6eG383M09S75A6D9guaRaEW2173pzvvqcH7YMkXb6DoFaOUbhDq2hHZVdKADgNBHJ+1/2gvSWJUGfcvKrFV1WMv5KbUv/dIYjHrJLODITqtIC4Z3O4mb4jcD3NK9HqLJzO3E14OWtQxetrZ80Fs+qhAs0z1LWRx8c+4shp2ksyeiA7qXfk5Mc2p5eTEDC87LBRA0ka4tescPThacMZvv3X1L+no3Zu2iZem7epHJTZQYVMwX2gPOe/TMtknzdxcUbLqH07Imw7TU6bIlwMXvhQRgZXq0IIljp6l9d7akv+aapnLaP03Ab599PnKdMMfN0v/tkrlYoQMUTvCbyAR36kCiwLoMDSSU06OOb8kus9I6dmN5oVLIf1kNKK1pC2aaZhSdlkAaNjnLyGQq1rEsiWb/ef7aO6PNQWIfmByvHMp95IDMxql247+4pxiT5HAOcJfJCNr5z7ZM4IXa77OWN0dEi9CkfiI760X2Y7vhVQ1wBUc05NiiS2emHFE/GBndADf+ibl4TEvdir1XBDFaEA+0PJOZufhlfTfpEBeDhHiXYfPodSzqa6xLsq4w1WK1b+a4Mw/Jknnng62yKCZAB9gKiDEteYNT1qgFutN5ZzRiCZzr3NmZ6mheLngH0dnlzo0jfZC5ZYTOvuLEJPfPAQEEsw0kwAD0av/dc5GARPz71x9rDTHCOFzaMRAufLI+8EP0nS4caIyDhWOeLh3Z8bAyuj6/Lsy98yj2vdO1ZgSKgKtJH4kFIVwJn4X78C8WFwgBv45vOftY2wjB3vPAQ+PpM43cBtUv97wgwLPSvn0gHruTVJ/LdoqRci6jSgSrOqWrLnufYwkT6Xj6+T+zrn2yJk/tBQaY3PJAUCvxqbE8n50wuiFbIZpz3Epado07dBUXHYB6isyH75Rb6/19BkUxkkjmuOJj8VEmcmhD0qKoyhvAxiQwR0939s6qrrRTQdxcamxljrThfq+KDSwRHXkxfU+jXqmwCmW0xH6MLQLt21/otidde8IItPKqO6KlFz1hqH6v8BYUM41EDVnVbuukEMxR4meYq2cclnlf0yUfnu7TXjMxcAlFvfW0w2s3i1NsW8SVTgfDOijL27HqPW5GmvodJyHKgcMaGPsTJKn7xpxbHCfMeAstLr+F3nqREk3d6N3cZmk2G26u2SP35oQQpKdHReeK+OrNd4D4KnvGRnzu/SmcF6MugSxAARdwiOvCrCbcoSF5guQmUbOXtaOKqfs2b0U9oMf1bxJfh+lyZGHADYxJzoDhS0G3xW1fG1Jtfvi9RP98TqrceB845AT4oWF98GiyAm0AYjBypxYFwtEb0j6ilDetRf+B0WbFb7ewL0Coua2h2Z6nC8CMZZnzMEQfUJF+QguvU06gDmf262R9ktGuiDwurlsHmB4/rs2/bkUf8F3/NmKAHC/28b2RhRBz7PSoavOS03b3YCHnE8ZBpFoE2gW7BBxWt1+ji0EbVCp6HGBuExlzo5rvSaSdri5ysdptqMTLPv6e+Ojn0LdaQ1fRmP9O4jcT2r46lajWVi1inRDJQWVQUeww2zbE+ltlwq8+DXaVmsuwSsnpwUei6Pd22XoZZfWRAwbvggWihv/3CXjn81SPl4nFtQ5u4PjwICSR301Za8gSLs08MjUd9BCmJ9oIM8r8EPokWDs6+He0DoiRcF/HqDP9pI5fPRMCV6zduH5GbsYO0zVYYzAPrXNkp2KmbGdCM9LENo2eX584lCMX0i9q8zTv0+5pbd4o08rioylwv82DWL8FALyI0SDYyFo2fAmuHwhDxd6p6NN3cYg1cZvZ363g2XzVlDg3jkdVO7i7+Swrw= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDz9NTJN5DRAuyVsODZRWLIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNxjWLwyoIX95yRHFXKdMI+BkVChenio/1q0nJSZoF9ASQvO7zBnmOH7+ICDGAMpA6ikRTAVJPeY0x9SBCDAtLOJK9BZBnJqqMY+R7S3OLHamYyR2EfUP9Tyj/NvLMLjIKOKr31WweYTT0LJ2PaxLzN0vveOSzCzgKAooTvFp52CPC+x4ShHudvoPFoD6iWVwumrqBpvYbwCrtMytS9e1a6lUjmS7q14AOwugXqwckyKb/0f4NwELWWjqbjawFji+DPJKLqg0o3dWOf+twlLvHCigIFeEudEtyMvAIvhltRRIBf1D0HFyeWMPZ1Z1lc/pOQ= ---END PC DATA---
URLs	http://gandcrabmfe6mnef.onion/c51f259fdf60d9

Target

https://youtube.com

Score

10^/10

Signatures

BadRabbit
Description

Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
Tags

ransomware badrabbit
Fantom
Description

Ransomware which hides encryption process behind fake Windows Update screen.
Tags

ransomware fantom
Gandcrab
Description

Gandcrab is a Trojan horse that encrypts files on a computer.
Tags

ransomware backdoor gandcrab
InfinityLock Ransomware
Description

Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
Tags

ransomware infinitylock
Modifies WinLogon for persistence
Tags

persistence

TTPs

Winlogon Helper DLLModify Registry
Suspicious use of NtCreateProcessExOtherParentProcess
UAC bypass
Tags

evasion trojan

TTPs

Bypass User Account ControlDisabling Security ToolsModify Registry
Deletes shadow copies
Description

Ransomware often targets backup files to inhibit system recovery.
Tags

ransomware

TTPs

File DeletionInhibit System Recovery
Disables Task Manager via registry modification
Tags

evasion
Executes dropped EXE
Modifies Windows Firewall
Tags

evasion

TTPs

Modify Existing Service
Modifies extensions of user files
Description

Ransomware generally changes the extension on encrypted files.
Tags

ransomware
Sets service image path in registry
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
UPX packed file
Description

Detects executables packed with UPX/modified UPX open source packer.
Tags

upx
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Adds Run key to start application
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Checks installed software on the system
Description

Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags

discovery

TTPs

Query Registry
Enumerates connected drives
Description

Attempts to read the root path of hard drives other than the default C: drive.
TTPs

Query RegistryPeripheral Device DiscoverySystem Information Discovery
Drops file in System32 directory
Sets desktop wallpaper using registry
Tags

ransomware

TTPs

DefacementModify Registry

Related Tasks

behavioral1

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Bypass User Account Control

static1

urlscan1

behavioral1

badrabbit fantom gandcrab infinitylock backdoor discovery evasion persistence ransomware spyware stealer trojan upx

10^/10

Extracted

Tags

Signatures

BadRabbit

Description

Tags

Fantom

Description

Tags

Gandcrab

Description

Tags

InfinityLock Ransomware

Description

Tags

Modifies WinLogon for persistence

Tags

TTPs

Suspicious use of NtCreateProcessExOtherParentProcess

UAC bypass

Tags

TTPs

Deletes shadow copies

Description

Tags

TTPs

Disables Task Manager via registry modification

Tags

Executes dropped EXE

Modifies Windows Firewall

Tags

TTPs

Modifies extensions of user files

Description

Tags

Sets service image path in registry

Tags

TTPs

UPX packed file

Description

Tags

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Description

Tags

TTPs

Adds Run key to start application

Tags

TTPs

Checks installed software on the system

Description

Tags

TTPs

Enumerates connected drives

Description

TTPs

Drops file in System32 directory

Sets desktop wallpaper using registry

Tags

TTPs

Related Tasks

static1

urlscan1

behavioral1