General
-
Target
da0663cdd736719efa9675fd2c7841e8326a98b0b362e00acc8053dc39e29ecc
-
Size
357KB
-
Sample
220625-jm4jbsbggq
-
MD5
ab6ae20a37006ffb428a6fe1c8929e9b
-
SHA1
d3684d20e267870614ec6ba792bbd247d93f0499
-
SHA256
da0663cdd736719efa9675fd2c7841e8326a98b0b362e00acc8053dc39e29ecc
-
SHA512
04c5dac60a4751fcf60c6223cbfc774c74e1a084894078378804f468670a1ace386d0fd0963207e1baf9e2ebefc20c4e9b8c4fbf6ef05993bcb8a4d3ebc5a3ac
Static task
static1
Behavioral task
behavioral1
Sample
da0663cdd736719efa9675fd2c7841e8326a98b0b362e00acc8053dc39e29ecc.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
da0663cdd736719efa9675fd2c7841e8326a98b0b362e00acc8053dc39e29ecc.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
C:\IWBWVBUL-DECRYPT.txt
http://gandcrabmfe6mnef.onion/a15dcc4b79af754b
Extracted
C:\DTWMTM-DECRYPT.txt
http://gandcrabmfe6mnef.onion/300dad963c5c1762
Targets
-
-
Target
da0663cdd736719efa9675fd2c7841e8326a98b0b362e00acc8053dc39e29ecc
-
Size
357KB
-
MD5
ab6ae20a37006ffb428a6fe1c8929e9b
-
SHA1
d3684d20e267870614ec6ba792bbd247d93f0499
-
SHA256
da0663cdd736719efa9675fd2c7841e8326a98b0b362e00acc8053dc39e29ecc
-
SHA512
04c5dac60a4751fcf60c6223cbfc774c74e1a084894078378804f468670a1ace386d0fd0963207e1baf9e2ebefc20c4e9b8c4fbf6ef05993bcb8a4d3ebc5a3ac
-
GandCrab Payload
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-