General
-
Target
dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb
-
Size
78KB
-
Sample
220521-as4lvaagc2
-
MD5
fe2d1caa2d52000efcd19ea1ea31d254
-
SHA1
6496aa6a299bc606ee9d058bdf4f0d826a2e4541
-
SHA256
dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb
-
SHA512
592a3447aa75b48b578b9f6b08524482b16c701f152b2fc2c074e63a9be84f250b380913b172e44af1dffbb0e223b6f17b959ac342b417fcbccadb3272b51f2d
Static task
static1
Behavioral task
behavioral1
Sample
dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb.docm
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb.docm
Resource
win10v2004-20220414-en
Malware Config
Extracted
https://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe
http://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe
https://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe
http://sndtgo.ru/word.exe
http://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe
Extracted
C:\JQGGQ-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/4f6ecbe4c8a27fc9
Extracted
C:\KXCSWK-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/93c436487f0515a
Targets
-
-
Target
dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb
-
Size
78KB
-
MD5
fe2d1caa2d52000efcd19ea1ea31d254
-
SHA1
6496aa6a299bc606ee9d058bdf4f0d826a2e4541
-
SHA256
dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb
-
SHA512
592a3447aa75b48b578b9f6b08524482b16c701f152b2fc2c074e63a9be84f250b380913b172e44af1dffbb0e223b6f17b959ac342b417fcbccadb3272b51f2d
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-