Overview

overview

10

Static

static

8

dcf3c03887...b.docm

windows7_x64

10

dcf3c03887...b.docm

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb

  • Size

    78KB

  • Sample

    220521-as4lvaagc2

  • MD5

    fe2d1caa2d52000efcd19ea1ea31d254

  • SHA1

    6496aa6a299bc606ee9d058bdf4f0d826a2e4541

  • SHA256

    dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb

  • SHA512

    592a3447aa75b48b578b9f6b08524482b16c701f152b2fc2c074e63a9be84f250b380913b172e44af1dffbb0e223b6f17b959ac342b417fcbccadb3272b51f2d

Score
10/10
gandcrabbackdoormacroransomwarespywarestealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe
exe.dropper

http://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe
exe.dropper

https://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe
exe.dropper

http://sndtgo.ru/word.exe
exe.dropper

http://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe

Extracted

Path

C:\JQGGQ-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .JQGGQ The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/4f6ecbe4c8a27fc9 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAIhcpl0JSl79JsG5am3hGx5kqsMG8wFWgVcIiLxO3HBib3dM4FdF6ZK70vyLYAAuiqPtW6JV1NbOmb+AqkvVPkQopJdZBubDxFWz2ze3nB3i0rNH2EoEgdaEQGA0gwB86fUA2KVMIXfV25xYySl1Im/8E2Iqt/Ojg+AeRNX4JLCZCeWnyIRivbuoEJR56NeQtbNS9dJSKm0ZLqNTI6oREr93xYYk/vyPDCDfU9nsZvbkEcywVkmfjWmEwIYDYx9cmDn3TYO80c6U7dZDZv0zfqnKfbPU5D9odJTu4603koR/wa6YDCY7m8owJX7y7KZpmjYtBUvNcBNn+QofW6IcwnhRjo6z7EWIhKelmsufJwKVB1I2rEQ4+uKIO3vsLct/BqBKoQEuBgqVmH+3W+vip9y4JuHTp0/edS1S3SpmIJMfg+6oR19ivB/zeE1V8bQG4nzFNUPN5yrbU2E4gWCCOqJh0vjiufEheVrRLCs0q9EAZLMnn4AxPHzwrVZDdvvYBJUIpkgbYbDuG/L3jCqHyAXPqZeYRmxhvVC1WbIVIXqwR24wpoPzeQRhZUQHW99tHsOyhlK5U1ezB6R1AFIRM0qJvl+We+bCJzsOzdLJn1E3hN8xn2NRPJGAMvVyBr3z++BGK+abO09lmP20LzYLPbtf1guVRWtQyL4Ygxg8vudnE8UbAMuSBlvNB86U2g0M6Dds87g8UNnQkLaaUo+VscNpjEkjmCb+Aco5mxwy+nZvgTWtNVax2tXFpWDrI0uH2noQVlTlIIY+XKSBYXpWiksRDOzUBXCPTGzlUhZ6Q9RpWL9UqBCERNiLZ4CLN75/2ZU2jB2gJRTJxKOXof8SONpjvuqYz7T/A6HvkFJEF0jADQsxLmiFKZG4FUL8BqfJRDCuWpxJo/itZbNvmqhzpyG9zxv3xaVYWcSIboqHBbkVeppihPa3VXSbe+DFifsFHPSD7BSJ/z5KMVJD1t94qcE/9bEtmKmzJubn09NDfH5rdeAQ431jxdXm793EPXaICQc2qdLYhLl0aFosmbOu33O6Mfp8P+s8pHnVdj2IrrJruETkuXjr+h+rPp7qi+uKv4Cyeo8siEZRM7viLF1ufJx6WTPe4vsMhEJPzcwxqtJ7zRIs1u6IIzxP5KKhmNa41bTyiPRytGmhcJLDnP16X2Clqidzv+eQGTkGixh2y5aj2wPh09Sq+PbxufjSVy+xqU9GzCjR/GTOvLzfqTZ3rH9yWk3noWwXto/5JQ7+eTbpfG0Gfdam43/9P3t6Rcm2JmHAeWXiW4RKeADeMfj3wt14vuKNJu1ve9cwQu4nerExYTxGERTMYntwRP7QaJrtpVjh7ZwvQoPFlB9s5HbQpZEn1k7T8bJUBSSFbZ8bumAwA/8IYwFsReHF8yS5xTSM98Y97yxxiuG+U2/AyrO7iQHx4KznaohSHzvpzQ1d+w/2/ycujFtg8W1iDPB9rLSWcy45xH5uIm3h7zxbhL1FwDevBuplapS2kUZ1wlTxLxxRE1/jhtntvuwx4Ru2mnl0g8nFYdoPyNsRFtlIh5WHv6E3zD8vHIGyhW3nVgpR3lHbabiNwmfxsUQ6jtukvIssvzh+7ly/BbgPuJWMr9IFE0R/XjaGZ8uCM6tDQi15itvoMexamBL2y//0O9fjoTmxht4qQulIxBSH5+Jxahp6JgGJ8afhnIkx9r5N1lEUbA1GFp1ayO24+tJmtDQs6/IUOu5tVumo2rIn8eI94g6KwPXn+lgCfIvCtGCv1vTOdy3qtTNSr/T0rMbkNVWnMamrMYRKYxWrDAkjI06aCGzkDvQMZNEuV1luV8Ej2zQy4e1FX3Ro2byUdjcDH0hTHmD368itwRH1AAzfrXadp+FKIJ0dqifI46PMQTxUwpDy3hPA7KRCViYPYrUJPRw0IY1WhFd03mp5gcOjBupjWf/5BHK38G/VwmW84KOkfRDASv7+th169DKz/FjTor5o06sEV9s0FkD8d/1bsa52VDglVTQMlhTyGQ1AKTe98xr/I+Zgp0ciu5hieOV7HYdloqL0c5T2Z9xdkenmL/UaJENVlWUpheSUDYcoXBf+jf7wjEx2cWu0x0+r/sSayTbWEEuNssUWaj3k8UjzTuYEFcgBs1c9O3RVZ6xHPZieg7wtSuffsEPa8fznOvvJaOndx//NYe8THD7ycUZxfDWqHkShzC3RQUVEhRtLZylSnP79g5afvkL6EKLe5/6N8N9zGpVVHf0lZxo= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDp9MXJJpDJAuOVoeDXRXjIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2mU0R7+dxfWLoypoW25ypHEnKnMMuBl1Cmehqo5VrrnNSZu19KSVzOtTAymPz79ICyGBkpCKj0RQwVePfN00RSAiCTtLyJKNBeBnZq+8Y6R7O3ObGdmdaRi0fWP4ry9fNzLOzjDaO2rwVWxuZ2TzbJpvbdL0N0zPfgSzCzhKAuoTbFqJ2FPDKx4ChAudDoPVoM6j2VyOmsqBtvY7wLrt8yoi8C1f6lXTmV7q94EOxhgW2wOkzbb5IfuNxGLSuj7biAwDPiqTOLKPGgho2ZWKT+7AkCvGii2IEZErpE7CNmAIThyNQQIFD1UkGNybmMPZ1M1lI/p+RNe2IEi3TJCr7rN9c= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/4f6ecbe4c8a27fc9

Extracted

Path

C:\KXCSWK-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KXCSWK The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/93c436487f0515a | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAOV0+6SDSpmx2tHLo+nFm2VV6PmCto4cJWKJ7hSyw3deQtjR61TzEQgdalscG0aCy4dTHJlj5upgudBdpdAB1kXvOsmyVWdsdVlSkBhU0uaRtNp+waDVhLwHPxb+KjKQTRFz0KBsS73iZknrTDw1Qq1qrutfuGKjxlqemkTEA50tM0A7Yi5HEmYmlMnDmOo58GVjpGeEq5FgVInLE5YChuEG5My9j5T6kAw5MKTK+zOgdSjLFECjGElPbN2n/nEZsso8hV5HDy/7PMN2KGK3gqZNdy+8tQZ+dnnG/JninZzqAUCJ9C5q67x86MrxUIQ739lQ0K3YJ76DclvsLTFeUrF+upQ0vmCjEkgy+BBeG7IOqSkIAojnVDUZYeDYrWFXp0iEHjcfm1wkz2wcAEGUJUMszqkxtpC7sSDNsN+hjTqD517C+U6QZy+ZjE+rG6p6PpIovWzoLEu8Q/xF2xevnpYmqemoLJkSJD9NRI34CDtuOOJ0QWHKM+ONATWruAJ69k4+sb5tFBs6DTQr+LACbK5bURIeZgH7WO6uAzFq1AyEsPhMd38/B3UjRLZ66XQJUwOnNKPhTVdsKrxOrqVe0am/ROhfVpkWyH8fHjhtiqmb831NI6R7Dt6OYgTjO2G3+DAAkFBN9m7BRBSfNqM3WYkka9jTxxCjPpOeZKElfnXDwJ8I2+nmSjAKjTL3Rc+aC8g6PknAPRw4mhbMNbL3AEflso0COUQ2rhohf2KX2FnVDP2ustJHIt4rVZMKE9TCIopkWpkGPgCxeKj0tmfuLwQT2/8r9hYRNKAxU81W+/MFtqMBtYaHIN7bPKZ2cW/gPaqTlQCboRyO/wGoSyTFX0VWXLpoM+Pkx8MpSgjMYYd2b6hylhFnv17bze8zoXULCsB6Zebf6RiXLRY1xCBX09f9MJPuNs14sPaewF+oSLmMgRbKq5bnfslCVsWCdwRqU1AGW0CoDjcD9BDghJWUA2oXOqFcLSa1ymYOjdb/kC5Jr/pk3jpufRiJNFlDUJXhngPYC34/D78HKwftKfCop2pKluVz8MaNeoKw4WHseV0x6Ty2hRSwL1QnzV2Ebayw3iS4ix5opZni1rst4HMG43nOBSrnDFPPHHXKkhj+JYhLMQpVMYSZfsMqKr+JzOt5P6F4t6DYrk1dJ1Gtx/Xhd6opzbl9ya8GV3YhfMTydXn8z0ttakeYOMbcXbtAiiznBmBrgrd0OGLrEjTDhpUgx+o8dbQYst/WIEQUDNqVdzKOUINfkOAAEpMuxMjUV5BIoVXvWuORPfvgyjlPz172Jbf75HL1XfPrr5kkRflLelD7J8dmYihyptglN8R8t3RStkhTMYuu10UkMo/A708UOul8S5KCEtMh5SEhiUibwGqXsqe9kZfsa8umxETQ1Bzwu/6ZZzcUC+zWfiLIBxlUlHT7mWIxDXDY6KxV86V9f4qcn0hTmzfdlls21Pla+0DFtdh4pWMPA4ZCeuZ/AgAUqxNJWnwgAcOt9GT63KBnnXlrymA0b8MXxFIiPrCvWySoo9f/qln9x6JKZ/tlvyUpOXuhqzBlXDcZeFzs01XbckrwV2L8/n6qgg4+GlQP0lSdcKC7/S9XtiLaDzieuGkAX/q6FUsUIBfgtX5rS3vmnwwrAJcG0Aji824cC/zBt7PF7WMzdf/OqlEuHgPBlGsSKRvbaeYxbPkeUMQgeeVoaAhhT63rkg2AwfJdXPxJ4znUbdwwBGCtkasUFwlKyKfCfij0dor+Z35JtDK7xbQgtwgZHXlWtTGgCe+bm/I+bfEPciZ3XPv1s++0v0K4AD6vNDY9xVeT9O4P3C6OL0ZqcG0NWdocsw3M7yVG16LZRDBYY4d+HS6VL6L2F5gOfk0YrayplCmxwogfE/Q/eanLmZ+kiEIKHfpc2nLex8QizNBzS7iGXj6TT/FN7BvbbVXF60OBjStEu7FIuGxRxvfYWYsEGkp8UzeH3hmKwuC2zABlBg2/uKTy9A3szcl6JIauPP/Q1rtdPFyK+yqN9frIHM6IvFWan9DItBnLIY2qtYb/IfUocd0621QWPJMLBzfPKyF6A4Ck5A9KCe+aZBjxK4sliiSHBVmAM+5lbsRMryKF2RKgH7+a8xrInbpt+QTKYCHkd9p9nhkWTB/gvW+7v5u3EC0T1AoedQyQv4kbTr2QicoCYRz33+/hMYeA/AtmU0uqTjxA7XDOdT3l3QHdKoZs4npiay7I4Se0k3/1id0TpL7GJDo= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDq9NDJK5DSAu6VseDZRWnIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJdNAOBndqqsY9R+a3NbHEmdOR2keAP9zy/fNgLOXjT6O6r1xW4eZxTzPJ1fbDL0900Pf6S0az7KAooTTFqp2BPDax4ihAudvoNloC6iuVzOm2qBpvZrwBrtsyqy8A1fqlVzmR7qt4AuwwgS+wbkyMb58futxQLWmjvriRwBniojOwKKWg042SWKX+6AkUvCyim4EdEqxE9yN6AIPhmtRLIEP1VUGFyeqMeJ1Z1lg/vORKezAEhnSVCrHrOtcUPBaV ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/93c436487f0515a

Targets

    • Target

      dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb

    • Size

      78KB

    • MD5

      fe2d1caa2d52000efcd19ea1ea31d254

    • SHA1

      6496aa6a299bc606ee9d058bdf4f0d826a2e4541

    • SHA256

      dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb

    • SHA512

      592a3447aa75b48b578b9f6b08524482b16c701f152b2fc2c074e63a9be84f250b380913b172e44af1dffbb0e223b6f17b959ac342b417fcbccadb3272b51f2d

    Score
    10/10
    gandcrabbackdoorransomwarespywarestealer

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Tasks