General
-
Target
398ab45708e9395b94c10786e1d4578c3868d6adc4f959c3269903b0b56fab25
-
Size
493KB
-
Sample
220625-lv1hrafeam
-
MD5
18bbaa35e26f6e55c5cb7ef6ffbd6c2a
-
SHA1
620e5ef2ecddbbc0132fb20e78c0c8d768510d60
-
SHA256
398ab45708e9395b94c10786e1d4578c3868d6adc4f959c3269903b0b56fab25
-
SHA512
48b001a0eb7f3560f6d7a40acfc1267a4f66d0ce0a5ffe0a77423ef5c241c2f94c1cd819dd0a6dc4c8e3611a7b531caeee181e7a4ada3a5dd9b227f5a03b966f
Static task
static1
Behavioral task
behavioral1
Sample
398ab45708e9395b94c10786e1d4578c3868d6adc4f959c3269903b0b56fab25.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
398ab45708e9395b94c10786e1d4578c3868d6adc4f959c3269903b0b56fab25.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
C:\VJMIS-DECRYPT.txt
http://gandcrabmfe6mnef.onion/9d1228964bb1a00
Extracted
C:\CCEVSKK-DECRYPT.txt
http://gandcrabmfe6mnef.onion/7fc0c866739bc74
Targets
-
-
Target
398ab45708e9395b94c10786e1d4578c3868d6adc4f959c3269903b0b56fab25
-
Size
493KB
-
MD5
18bbaa35e26f6e55c5cb7ef6ffbd6c2a
-
SHA1
620e5ef2ecddbbc0132fb20e78c0c8d768510d60
-
SHA256
398ab45708e9395b94c10786e1d4578c3868d6adc4f959c3269903b0b56fab25
-
SHA512
48b001a0eb7f3560f6d7a40acfc1267a4f66d0ce0a5ffe0a77423ef5c241c2f94c1cd819dd0a6dc4c8e3611a7b531caeee181e7a4ada3a5dd9b227f5a03b966f
Score10/10-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-