General
-
Target
4c8a472d658ec51a4e81413b2fe81db614fc3676d69ad6eff621fa46ae4c0b07
-
Size
586KB
-
Sample
220712-gk9lfsdgan
-
MD5
c50124240410641182ec735cc8ee9b9a
-
SHA1
17564c7bfad1d4066d3b07e686a2d4f9b9415f6a
-
SHA256
4c8a472d658ec51a4e81413b2fe81db614fc3676d69ad6eff621fa46ae4c0b07
-
SHA512
8dfa088e750df0785632796b406f36126c7f28a09043db7d4cfb67cd72c355bb329f9b6fd2f83b9a1a2ea75a05a20c3a6bc09c0c5c215b26f4d4a3d1e2613566
Static task
static1
Behavioral task
behavioral1
Sample
4c8a472d658ec51a4e81413b2fe81db614fc3676d69ad6eff621fa46ae4c0b07.exe
Resource
win7-20220414-en
Malware Config
Extracted
C:\FDJGQL-DECRYPT.txt
http://gandcrabmfe6mnef.onion/6b02f5bc863a74f
Extracted
C:\QLMDROR-DECRYPT.txt
http://gandcrabmfe6mnef.onion/5a4b6daf45d76d2f
Targets
-
-
Target
4c8a472d658ec51a4e81413b2fe81db614fc3676d69ad6eff621fa46ae4c0b07
-
Size
586KB
-
MD5
c50124240410641182ec735cc8ee9b9a
-
SHA1
17564c7bfad1d4066d3b07e686a2d4f9b9415f6a
-
SHA256
4c8a472d658ec51a4e81413b2fe81db614fc3676d69ad6eff621fa46ae4c0b07
-
SHA512
8dfa088e750df0785632796b406f36126c7f28a09043db7d4cfb67cd72c355bb329f9b6fd2f83b9a1a2ea75a05a20c3a6bc09c0c5c215b26f4d4a3d1e2613566
-
GandCrab payload
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-