General
-
Target
db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9
-
Size
191KB
-
Sample
220128-wkyxaahhcn
-
MD5
5bc5696a899074cb3623aa640602c8ad
-
SHA1
792d0ef1d01d80426aabc2c8bbeb680690d94798
-
SHA256
db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9
-
SHA512
7574237d9495c0cf056b67fb7efa61d426f383976e8fb73b2370835fd1ed63a85d0061c24ee16472bb973acd7cbbb690638b07bb20057774ace0e13b4f87e221
Static task
static1
Behavioral task
behavioral1
Sample
db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
Resource
win7-en-20211208
Malware Config
Extracted
C:\KRAB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/cb99ace73fd0ad8
Extracted
C:\KRAB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/11c2f5583dfdc5fb
Targets
-
-
Target
db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9
-
Size
191KB
-
MD5
5bc5696a899074cb3623aa640602c8ad
-
SHA1
792d0ef1d01d80426aabc2c8bbeb680690d94798
-
SHA256
db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9
-
SHA512
7574237d9495c0cf056b67fb7efa61d426f383976e8fb73b2370835fd1ed63a85d0061c24ee16472bb973acd7cbbb690638b07bb20057774ace0e13b4f87e221
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops startup file
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-