General
-
Target
3e71e188e91521dfe6b679264592598593a662fc1e3ef3ec0d9718831455a750
-
Size
586KB
-
Sample
220701-h85g3sbdc8
-
MD5
6be55222abd92fa15e0842014bb13116
-
SHA1
00dff6871b36c36828b5e2fcd1e3ac6a886025ad
-
SHA256
3e71e188e91521dfe6b679264592598593a662fc1e3ef3ec0d9718831455a750
-
SHA512
827bcdd8302c88b13c67fc6f5a9fef9487c36e72b56597f770705fc1149643f82396b45544542851b733ee11fd15ab9f6f276a4be36a48cdc5c7436ac47cf2c9
Static task
static1
Behavioral task
behavioral1
Sample
3e71e188e91521dfe6b679264592598593a662fc1e3ef3ec0d9718831455a750.exe
Resource
win7-20220414-en
Malware Config
Extracted
C:\EDHHNDIG-DECRYPT.txt
http://gandcrabmfe6mnef.onion/14694067130573e6
Extracted
C:\BAUTLLWVT-DECRYPT.txt
http://gandcrabmfe6mnef.onion/78a235bbd87537f9
Targets
-
-
Target
3e71e188e91521dfe6b679264592598593a662fc1e3ef3ec0d9718831455a750
-
Size
586KB
-
MD5
6be55222abd92fa15e0842014bb13116
-
SHA1
00dff6871b36c36828b5e2fcd1e3ac6a886025ad
-
SHA256
3e71e188e91521dfe6b679264592598593a662fc1e3ef3ec0d9718831455a750
-
SHA512
827bcdd8302c88b13c67fc6f5a9fef9487c36e72b56597f770705fc1149643f82396b45544542851b733ee11fd15ab9f6f276a4be36a48cdc5c7436ac47cf2c9
-
GandCrab Payload
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-