General
-
Target
428334979d439e5ca293c3c82661a59f050aab3c6662a330d14884d5f5054a28
-
Size
225KB
-
Sample
220708-cqzwzsdcdr
-
MD5
b44a855160e18e0348a607e810cc06f9
-
SHA1
a615269f71bc6a6b802221e6ab255d0fdf838f38
-
SHA256
428334979d439e5ca293c3c82661a59f050aab3c6662a330d14884d5f5054a28
-
SHA512
08a101c760a13a2bdc652c90b7740af97428d481d1902f8151d58bf6d282526003a69c63f69dfee590b29f641026f3a2094dc1f5f91be47ab61a6ace08dfd99e
Static task
static1
Behavioral task
behavioral1
Sample
428334979d439e5ca293c3c82661a59f050aab3c6662a330d14884d5f5054a28.exe
Resource
win7-20220414-en
Malware Config
Extracted
C:\KHMRNV-DECRYPT.txt
http://gandcrabmfe6mnef.onion/e4124dd526b6bff
Extracted
C:\SVFSYUSRIA-DECRYPT.txt
http://gandcrabmfe6mnef.onion/16a3d8b858a0f963
Targets
-
-
Target
428334979d439e5ca293c3c82661a59f050aab3c6662a330d14884d5f5054a28
-
Size
225KB
-
MD5
b44a855160e18e0348a607e810cc06f9
-
SHA1
a615269f71bc6a6b802221e6ab255d0fdf838f38
-
SHA256
428334979d439e5ca293c3c82661a59f050aab3c6662a330d14884d5f5054a28
-
SHA512
08a101c760a13a2bdc652c90b7740af97428d481d1902f8151d58bf6d282526003a69c63f69dfee590b29f641026f3a2094dc1f5f91be47ab61a6ace08dfd99e
-
GandCrab payload
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-