General
-
Target
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2
-
Size
578KB
-
Sample
220625-3gq6lagchp
-
MD5
a3b368af763600c26c44d7cc3c0af571
-
SHA1
8e783c3279aaaac3653520bc519f4ea072846149
-
SHA256
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2
-
SHA512
69c64c9931344332db35ca12b25e4e95d7210f436332c452990e2d01ae1f54dc44d76e820e7d0990ba6649faf0670593af93ec54a757b054a918ea3af991c63e
Static task
static1
Behavioral task
behavioral1
Sample
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe
Resource
win7-20220414-en
Malware Config
Extracted
C:\ZBVXKT-DECRYPT.txt
http://gandcrabmfe6mnef.onion/d4401093f195500
Extracted
C:\TERAJH-DECRYPT.txt
http://gandcrabmfe6mnef.onion/3cd64faaaba12900
Targets
-
-
Target
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2
-
Size
578KB
-
MD5
a3b368af763600c26c44d7cc3c0af571
-
SHA1
8e783c3279aaaac3653520bc519f4ea072846149
-
SHA256
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2
-
SHA512
69c64c9931344332db35ca12b25e4e95d7210f436332c452990e2d01ae1f54dc44d76e820e7d0990ba6649faf0670593af93ec54a757b054a918ea3af991c63e
-
GandCrab Payload
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-