General
-
Target
bbd29c1bed7bc593145104df7f0012937f67218b34e1013fec47ddbcb0debaf1
-
Size
225KB
-
Sample
220701-h1xr9shcgr
-
MD5
d84c5e55de25071b9c01b032be8343cc
-
SHA1
40c572ebba714271818532db9abdb4c28ef27177
-
SHA256
bbd29c1bed7bc593145104df7f0012937f67218b34e1013fec47ddbcb0debaf1
-
SHA512
8303e0bd44251dd7550f2279fbd79b0d3e51141ab17d0088df34fd78754fc63eca688e21c960489273c6dbb7d0b62b908d64be75e8b22924dc40c279159ec063
Static task
static1
Behavioral task
behavioral1
Sample
bbd29c1bed7bc593145104df7f0012937f67218b34e1013fec47ddbcb0debaf1.exe
Resource
win7-20220414-en
Malware Config
Extracted
C:\YTCPOVN-DECRYPT.txt
http://gandcrabmfe6mnef.onion/693b8bba59047dcd
Extracted
C:\LCLMPC-DECRYPT.txt
http://gandcrabmfe6mnef.onion/d1a193131030f592
Targets
-
-
Target
bbd29c1bed7bc593145104df7f0012937f67218b34e1013fec47ddbcb0debaf1
-
Size
225KB
-
MD5
d84c5e55de25071b9c01b032be8343cc
-
SHA1
40c572ebba714271818532db9abdb4c28ef27177
-
SHA256
bbd29c1bed7bc593145104df7f0012937f67218b34e1013fec47ddbcb0debaf1
-
SHA512
8303e0bd44251dd7550f2279fbd79b0d3e51141ab17d0088df34fd78754fc63eca688e21c960489273c6dbb7d0b62b908d64be75e8b22924dc40c279159ec063
-
GandCrab Payload
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-