General
-
Target
e5c522e14a66c7ee82d5e68db74f8b44d1a8e43e4a674b17a8405b21a9845bb4
-
Size
139KB
-
Sample
220128-wcvjwshfam
-
MD5
43dfb6a59130c5b3dfc417b10d347498
-
SHA1
312dba38f8bcc99f2a523b1ca8e421dfcec73005
-
SHA256
e5c522e14a66c7ee82d5e68db74f8b44d1a8e43e4a674b17a8405b21a9845bb4
-
SHA512
3f84325328f07f4d5f63f2a800d10f75e8da96f4f6c479086fd505b83654fca31815e5d7d2fed2228034335d12403726fd822b0f29e88a391e452d9e5d01e1cb
Static task
static1
Behavioral task
behavioral1
Sample
e5c522e14a66c7ee82d5e68db74f8b44d1a8e43e4a674b17a8405b21a9845bb4.exe
Resource
win7-en-20211208
Malware Config
Extracted
C:\ONZINRJZ-DECRYPT.txt
http://gandcrabmfe6mnef.onion/379bbd2739161a0e
Extracted
C:\TJNRVSBZA-DECRYPT.txt
http://gandcrabmfe6mnef.onion/548d8063ce7b62d9
Targets
-
-
Target
e5c522e14a66c7ee82d5e68db74f8b44d1a8e43e4a674b17a8405b21a9845bb4
-
Size
139KB
-
MD5
43dfb6a59130c5b3dfc417b10d347498
-
SHA1
312dba38f8bcc99f2a523b1ca8e421dfcec73005
-
SHA256
e5c522e14a66c7ee82d5e68db74f8b44d1a8e43e4a674b17a8405b21a9845bb4
-
SHA512
3f84325328f07f4d5f63f2a800d10f75e8da96f4f6c479086fd505b83654fca31815e5d7d2fed2228034335d12403726fd822b0f29e88a391e452d9e5d01e1cb
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-