General
-
Target
356bff6966ca7136a8486089c17205ba4b50fcc7f60655d82103dedce4473e55
-
Size
411KB
-
Sample
220627-ajwjwahhd2
-
MD5
5809199a0df6e392aeb2cdc1b519be5d
-
SHA1
cf3460700ab3a10a15b1faad3bbbf413a312ae92
-
SHA256
356bff6966ca7136a8486089c17205ba4b50fcc7f60655d82103dedce4473e55
-
SHA512
9de122e2b29db1ff3a348a4fe07e22b3e6c1b0bad0c3f85776f3e6816d486887d1d4747472e16df524c4e9de2679659b841884f1ef517eb14af05894eb378099
Static task
static1
Behavioral task
behavioral1
Sample
356bff6966ca7136a8486089c17205ba4b50fcc7f60655d82103dedce4473e55.exe
Resource
win7-20220414-en
Malware Config
Extracted
C:\PNUJLK-DECRYPT.txt
http://gandcrabmfe6mnef.onion/d22a53b8f5ab3a2b
Extracted
C:\DOVZNRFX-DECRYPT.txt
http://gandcrabmfe6mnef.onion/94a62e0896f6bc62
Targets
-
-
Target
356bff6966ca7136a8486089c17205ba4b50fcc7f60655d82103dedce4473e55
-
Size
411KB
-
MD5
5809199a0df6e392aeb2cdc1b519be5d
-
SHA1
cf3460700ab3a10a15b1faad3bbbf413a312ae92
-
SHA256
356bff6966ca7136a8486089c17205ba4b50fcc7f60655d82103dedce4473e55
-
SHA512
9de122e2b29db1ff3a348a4fe07e22b3e6c1b0bad0c3f85776f3e6816d486887d1d4747472e16df524c4e9de2679659b841884f1ef517eb14af05894eb378099
-
GandCrab Payload
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-