General
-
Target
43ed182a18e109842c7850dee74a8ddecfe73f976c7c75415ab17e338c1e9dcd
-
Size
795KB
-
Sample
220707-z7gs3aech6
-
MD5
92f8ed812a79b8037a112c6971f4970f
-
SHA1
19c2b1fc1d65d7c1c90f0c0811d6cb97475e46e7
-
SHA256
43ed182a18e109842c7850dee74a8ddecfe73f976c7c75415ab17e338c1e9dcd
-
SHA512
d8f5a302ac794c0f08f60bd4ab196deadf5c1549f1e5b863adce049d36e3d99ea243f16a0eee9a91b38e835f06bce2d04965a710791eac0fde9446192b7a92ff
Static task
static1
Behavioral task
behavioral1
Sample
43ed182a18e109842c7850dee74a8ddecfe73f976c7c75415ab17e338c1e9dcd.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
43ed182a18e109842c7850dee74a8ddecfe73f976c7c75415ab17e338c1e9dcd.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
C:\SXSGJMHVB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/4c69ee2f3f9a89ad
Extracted
C:\EUOQPW-DECRYPT.txt
http://gandcrabmfe6mnef.onion/5312939d88e43ac6
Targets
-
-
Target
43ed182a18e109842c7850dee74a8ddecfe73f976c7c75415ab17e338c1e9dcd
-
Size
795KB
-
MD5
92f8ed812a79b8037a112c6971f4970f
-
SHA1
19c2b1fc1d65d7c1c90f0c0811d6cb97475e46e7
-
SHA256
43ed182a18e109842c7850dee74a8ddecfe73f976c7c75415ab17e338c1e9dcd
-
SHA512
d8f5a302ac794c0f08f60bd4ab196deadf5c1549f1e5b863adce049d36e3d99ea243f16a0eee9a91b38e835f06bce2d04965a710791eac0fde9446192b7a92ff
-
GandCrab payload
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-