Analysis
-
max time kernel
192s -
max time network
207s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 19:34
General
-
Target
94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe
-
Size
139KB
-
MD5
647ce0159d62ba5e42a1a1ee52c83ee6
-
SHA1
4e278e03ec67129d49e9c07c73749c0952dc62fd
-
SHA256
94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107
-
SHA512
8061d68c2cefbf66ced0d1df7b518a8a64f8f3b6e8db7243754760f3291017e85f723d998749b5c851819703f2f33b9e2631495728ff53245f8899f1ee9832a8
Score
10/10
Malware Config
Extracted
Path
C:\ZVOUIEG-DECRYPT.txt
Ransom Note
---= GANDCRAB V5.0.4 =---
***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED***********************
*****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS*****
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: .ZVOUIEG
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
----------------------------------------------------------------------------------------
| 0. Download Tor browser - https://www.torproject.org/
| 1. Install Tor browser
| 2. Open Tor Browser
| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/d5104ffaaece9ed0
| 4. Follow the instructions on this page
----------------------------------------------------------------------------------------
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW
---BEGIN GANDCRAB KEY---
lAQAAA9uocKCdkXSu+OeHNH2AS+TRBbkA/HEyvFUhbvcQDTFwOHV5wgNrax1ye+zxxj7xGUQ6/aLnw1sMorbdN/22I0RGwOlqOGEAZfVcsPjvIUcfh5WhP66y/BQQXGX8svSr7Z61HAqruSQSubcjhXsYae4wwwH5gXiLZRNvAG0EgSYvY+Cr50scAGknIEGQho38OhLTWL8aZnM3GjPykj9Q3/PGGYwJPzj4nLboq+PALBtmKFZMOzEO0Ogc36HHsTrgDQAWyBir8NUcpyd9il4ATC2eQSkcRGWyDBpeY7oTeVbmhKf5NKoki1+joBDIbFhdOrjrWS8gfgPAQYIGa2CmlfwfRRQMrxb6HQQPkdSKpqbTTTWsPklP6db2Q5f5cTHxx6EeM5NvB09VCDnVcas2SF4XbVSShod+mJ1mmxv+TJmat5TLJsqJcPFCMGAKCXs4cizHjCRHy2gwkzUmE/YK6lkM/crC5RsjCJlX+Pu9+dRgsT9HogWZcc2SqNH6JoIMGpD+sCzGivCjuIYJYdz6NqINUr1/IagD2F1FS4/ZOVaG9c+MaUVKq+ku9h21s7Bnmoi90s3LJ3Q1lxQhdpTcSWNGxliMcqVXNITMtIgZgW7uTQf+GK08ivK6Cd2numMAbFUKC0Gx5UBBnT655F16iY9uMMtlemxI37G0pmjfJVLQHTvWRINMA0TDPRsOTh88CREDnEnWF8FlzEEjRymeaXQRWN3bmB+mdJ3OCMltwM4rHDXg7kKq5jEmv5FCNaHOExftuL649sZlhWPJbDekLcWFQ1HWhYUXPSjIjtOSVsCMWgLaBDCeTZ5lsX64wwzo0G3g0m6mdEMl2O8l4me1p5o/Juge8hWMLTOrFTC2fX46wj+c14hK96+CpnRodTSbljk4rIHQZXnH2F8eP0UbaCxuIXffdTsphyc5bZBPVLBAE27VeOW17gCwnK5n75mhzsjeX3bFUPcsPdGCcm7apuvkIXPYtfQWYGyyHOV22qdBBoY2segOHBlHvgmPgehzH3bJLgZEa2vGO8JIisQkayG4ll/eQWLdbBstgcNuU6/taqjTjFsiT309AcKY97yY29+ghCWJhAnrpLhuQzIvJSgAKg4d/mE7ANzCmmN0Sh0NYmSnB8aJq2Z/hVvWTxS71RFKb4WYrAxcAvHVBSSCipfIs+g0kCjTCYSEE7LniSmQLuDtNWCwK+n1EwvOLOEirM8ILLReHxsQF+lSwQzhdETbG3ltal9yAKm7GuZ9i5tz1wizA4jaEMhFbh362GHHCAKoqOytR9CrjW5hNAb2XvXrsIDQrPY6EGrlxE0hffQD5tVPMMtibBP6j6iQOHs4sgXHkDmFEDbexpZmGH570UCWY4q9Suv5yxF7L0gOJH5RDCiK/3Yav2BsvRw3LMayDVl1u/FD9A3jGK/wCFgVzFLMn1TXI3lEBP6N7UNK7/qQvdqAt+O7dl39DH3XtjkvBYr5pwxLTC2sWOL9ZN/fLOZvfHerqCEhoblthTck2O1WVPBSzaFxWJ/NTTyYzVUXULUqin44N7MNgWQC7z+IZtmbCJTngqf6ETGjEiKcmAyJbrDzbtNhl8CIqgPt2qB7KuG4JDz830D7g8YQnGkADbg7eQhOFryPJ89S7YJS1wkLG6yysyRXj+/Gy/pk3jslOZxd2y62ZWPmUZwSpQypFNmsGdQ0b+4km1QlHIpnJHJ/l90k9qJlrzqkTiSoZ9n2yfidS6xbHBfTJYohmVQutCmYLFQLcEiLrIQ4WjF+yAMO/NPCxksRytQ9rhv5mB1a82lXgIBuzv+NAo0WPtctmj8/DGhqE3Yxw2BVKV2dX3tAcxscV7hjFGt/2VCuyseEbeq3DorodptQGtaREgK5rioVuSI4gzSbuZfHxgpGg5BgTt1R+liv9Xc3rXeivkGT0zQR9S8wZ5uY9LuGtn85fjPBDHk2+5gBq3rQDAgcmS8Spako3xSH72d1LKp8tjsaNiAAZQO3uxFOwjjB92LbZ1uu42d3CDFWF1HyhNQwnDDOw0TXD+DgTvBqyB8L40ty/oZ5ayUyYcaTG+Iq7Ta4j/3hCvsOiGkxA4xRyAAZF5Ta9J0DNE0yn0rWu9MJclfF/sHdB4c5+U1NqpLOEC67Cf302xMUvq0a9JaGGH22ub4WXUsovbDAI9WtxK9B0ouJubYDkPUlgrrHJlQRjcLjsIh33Qdm854wfgVmWJBc1MP0Zm9hSz1yfQDk3I+VNBztfWmw+w=
---END GANDCRAB KEY---
---BEGIN PC DATA---
wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZSTo1RsHYd7nRWsrfZTHWHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZdP6U/VvqF1shzlzbajc1AHXg7l8xnT91gCFUxMg7ADMEr7316SnTFUg/DkeItL9jgqcun9bqp5+1i57EkkR7BseL1/zM2QutzGtJYOVrXBiftuxGOEY0b9Scf4qq4MaaXY7JyAYzW2Q+irpQZTWgqalO6JIQJopFqwNEoBhPAnKY+DO5AAL2fiGE1g6xrIA3txAtKyQ73Zi/pARFN3uPLaOb91wsZMHQRRlWKajmS1hTgJn9imRHfzCz/QUxnmrItltmwrXJbVczpPzetfEscIsBuP3NNnH9WQ2/C36ZUErLtf0jsBdBMMpGrHpcOL7+fRYUP+Ik=
---END PC DATA---
URLs
http://gandcrabmfe6mnef.onion/d5104ffaaece9ed0
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 32 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe"C:\Users\Admin\AppData\Local\Temp\94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses