General
-
Target
6475fe94cd3449e37620e0e78fe5d5ccd2855defb71626b1f349b4a96a5c4254
-
Size
350KB
-
Sample
220707-yxwzkaadcp
-
MD5
4b0751e0723f814cb13a36ad72e07d6b
-
SHA1
f80a55c0889961f5282788d1f6f5c534b22f9c0f
-
SHA256
6475fe94cd3449e37620e0e78fe5d5ccd2855defb71626b1f349b4a96a5c4254
-
SHA512
056354c98456b3c690047eff45988c61cdbf48e9813c686231bdacec1c0ecf434f4f8b62463da8464078217db743d3e11502043437066b730a0d8b63be7537a1
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
3.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
3.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
4.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
4.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
C:\WXWQR-DECRYPT.txt
gandcrab
http://gandcrabmfe6mnef.onion/b4ab1dfbf0a34cd4
Extracted
C:\HPNONV-DECRYPT.txt
gandcrab
http://gandcrabmfe6mnef.onion/8a5c6745f866a738
Extracted
C:\FBHRZCAQDS-DECRYPT.txt
gandcrab
http://gandcrabmfe6mnef.onion/1d1381568c1b5008
Extracted
C:\BQGYPGGTN-DECRYPT.txt
gandcrab
http://gandcrabmfe6mnef.onion/c88c6d209e8ece03
Extracted
C:\AZMCHWUUQ-DECRYPT.txt
gandcrab
http://gandcrabmfe6mnef.onion/89f7458967f6fcbf
Extracted
C:\QYAINGIVAS-DECRYPT.txt
gandcrab
http://gandcrabmfe6mnef.onion/44f5e48b684c8918
Targets
-
-
Target
1.exe
-
Size
98KB
-
MD5
e84174bf344419280a719cb7e9c033b5
-
SHA1
00ec359d33dddad510e47e0cf708aa4702c15977
-
SHA256
b1a150630cf575d31d0e788e6ca0eca33875aac5b8a9eb873e79731b1956e42b
-
SHA512
9345c89c1c043209e09423e9921e0276bf1a99cde19e5690d5929b139356b016389b10a34bb286e5dc3771c82bc0386ff23d064a42f219d882420273492bf719
Score10/10-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
-
-
Target
3.exe
-
Size
98KB
-
MD5
d840bd5931256bc23c634fab43dafc3e
-
SHA1
cf5d56598c11444cfd4e6e843eee680b8af2eaf7
-
SHA256
a89ff5da7c1c949768bd1f83fede6a02363ec8082b057aa34ea627d4ac81de8a
-
SHA512
44ebe81c50774d2b507ad3ffa135f552f4227436c43e902064a6cdb3f114798041434b3528e1156652565654b89fbe103ebe649a2cf167e389b1713b3be0d974
Score10/10-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
-
-
Target
4.exe
-
Size
98KB
-
MD5
eae1d32442fadc2b737837adada39c54
-
SHA1
3779ec749f00515e31eb4fff4ae8205f44a6ea80
-
SHA256
2e818946ec3ef46b1274aa212fdf73c2214ea00f8db0533cbc4fba353a60ce5a
-
SHA512
52151027c9ee32466ac34852ac9eec07a06fedab15309ef3a4d3b4138e39b7856dbb798e3b222a4cab8242532e8066001d785c64856830ee1d902139a7c666f0
Score10/10-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-