General
-
Target
01e6fc5ed49a8f02bba5fe53bf47318081b1f807bc29a5fd8945b36c99925e4a
-
Size
225KB
-
Sample
220523-vz6d8sghe9
-
MD5
d19428e32312b67c6357549bb17edafb
-
SHA1
1c9857f67ee9402c41fbcf0a7c5aefb3e3a5a92e
-
SHA256
01e6fc5ed49a8f02bba5fe53bf47318081b1f807bc29a5fd8945b36c99925e4a
-
SHA512
a82db75ccb60aa165114613ae60c61cd143b7045900b74676e9f3348622458c233b8f86d8f8a1e4deb19e04aaca52ec4916b122baddfda2c4145befaa2a864c6
Static task
static1
Behavioral task
behavioral1
Sample
01e6fc5ed49a8f02bba5fe53bf47318081b1f807bc29a5fd8945b36c99925e4a.exe
Resource
win7-20220414-en
Malware Config
Extracted
C:\WBSDHQEI-DECRYPT.txt
http://gandcrabmfe6mnef.onion/9d6b034653336148
Extracted
C:\DTIFN-DECRYPT.txt
http://gandcrabmfe6mnef.onion/92ea6046a5f6604a
Targets
-
-
Target
01e6fc5ed49a8f02bba5fe53bf47318081b1f807bc29a5fd8945b36c99925e4a
-
Size
225KB
-
MD5
d19428e32312b67c6357549bb17edafb
-
SHA1
1c9857f67ee9402c41fbcf0a7c5aefb3e3a5a92e
-
SHA256
01e6fc5ed49a8f02bba5fe53bf47318081b1f807bc29a5fd8945b36c99925e4a
-
SHA512
a82db75ccb60aa165114613ae60c61cd143b7045900b74676e9f3348622458c233b8f86d8f8a1e4deb19e04aaca52ec4916b122baddfda2c4145befaa2a864c6
-
GandCrab Payload
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-