General
-
Target
43fd4796850703c76c679afbb4760a6f78ebad5b07d0fbb357f2e54dbc1fb5b1
-
Size
5KB
-
Sample
220707-zzrnasdhg3
-
MD5
32f7972a5dc08610ecbecd9b0024eba3
-
SHA1
087efaede6b348a745a48265d57b339751a04632
-
SHA256
43fd4796850703c76c679afbb4760a6f78ebad5b07d0fbb357f2e54dbc1fb5b1
-
SHA512
6fb27c53a5f6b3c221d191ffa77275eb2349deb6bccc9c109f99bafadbf2bd17378becce058397303a623341af6dfce93291caa7f20de9209d08a6a566ab864d
Static task
static1
Behavioral task
behavioral1
Sample
rechnung918738.pdf.js
Resource
win7-20220414-en
Malware Config
Extracted
http://www.sumiyuki.co.jp/js/test.exe?DuVBLp
Extracted
C:\IASNACMA-DECRYPT.txt
http://gandcrabmfe6mnef.onion/f1d13815d7a7eeb
Targets
-
-
Target
rechnung918738.pdf.js
-
Size
17KB
-
MD5
f5d402b4f54bf7ad7cf0328b4cddebc3
-
SHA1
82fc0558cf21ff062145e48e76821ecd5d10bc21
-
SHA256
00f77e0d744bbeabb6de0fd2278103d7e16bd6875aa1481fba97dc21f4f7c0d9
-
SHA512
256328a635b86e8ccea3163e95877fd5ee6a50f2d28707c9a6297c3739b4b836587760954182c19d4ca042d06e9293e13ef705023b169294179568cb0bb1214e
-
GandCrab payload
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-