cryptolocker

General

Target

.
Size

147KB
Sample

240517-qge24sac6t
MD5

5210e280ae24357361093de3aa7015af
SHA1

1c46adc75b3b6e862821ff46a249e00b93e5230f
SHA256

a7b6ca34c012421ba5977d94a3d8e237b344767ddbcc852308ed16cd7099ac51
SHA512

58e9bb617363524098b356988b30d9abfd599b2d5b12badc9066ede8a2760a3d8ffe747347f0aa04b61487c517402d38bce91fec7dd1c8b807c1c6a6d823c739
SSDEEP

1536:o5kud8TPV9vK4DNvGR4Dbll1qKf+30vD932Os4DIHhqiS:wkPT3V+CllQHKuHhqiS

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\README_HOW_TO_UNLOCK.TXT

Ransom Note

YOUR FILE HAS BEEN LOCKED In order to unlock your files, follow the instructions bellow: 1. Download and install Tor Browser 2. After a successful installation, run Tor Browser and wait for its initialization. 3. Type in the address bar: http://zvnvp2rhe3ljwf2m.onion 4. Follow the instructions on the site.

URLs

http://zvnvp2rhe3ljwf2m.onion

Extracted

Path

F:\$RECYCLE.BIN\LNEOEX-MANUAL.txt

Family

gandcrab

Ransom Note

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .LNEOEX The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/e1f1454154a9731b | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAOeOPR+ieF8ZqqNOxgFQEW2FLFfdSfP5N1DTLyueGL658YhG0l+UCQ2jv6OVZs8477MdsmFE+kKwy1SKrFm+wwCWnMYxwFlUyYjj1fdqPrzRssVyxgpuCVpCHDyASpKtScd6BKFbodTXOsx6N7gFifHdZekt+JERwKUOp1gTPWQHUc83sZBchaRG85SRTCiky6TfMky+48HtWvCzLrftQHNlOvSsDCwOpLMyhCg5KRlKfn4W8Z606qrIxpTTCY/ypP46mLjVMn6XTlf0VX/P5kOjGNoxsyEi99QS6n1WhPxqHX8KUZ7QGeGSeoBEXrkyWM8+n4bbF+WQEbN77feSFJyJHdQv0U305oA1VzuHhsJ0PdF6u8aX0sArDHLvOFu3zP+mmm0TayhrvnH42ZUyO8oW749VKfDYWn3wwNk54F8Q4dCPW9xU5KEdqm7qWGjqirlowb76kRvWUY8bj1wIYRanV1COKkRIVB8KLGHAJ32IYxbOUDmrcBIp8VpVim3ZfkPc9FSFpz1bdUFSc8S4jTQe1NAH5fLM6B0T/ODd4Hg0D/QRP8DtpO12WGt3Uw2gnn4MspXlaGX0CsI9IcBDUiBpos02nmE1knipeFKZjvju0ARXTIGfJ+asFYYASOveUpMUoC9ynk/BHkSoAfPCZ+o2LErdRwKujrJ31LHfpAi++NnklTQMsAl9JYbZooj+a6vHmuAHrzv0j3yWuyGJ6oTRQxSQaqIfzLR0kCsuwEvfRbeR5r2B2n6kLw4U2TnGXc7MtIoZL0amwhpRzkcGMsXTg5I3R/0eF9rVEsRWCAtqE6I9VfXkPwlxOpEOWPleHi8DuLXI1QB2Bt5UPlb2KtXOaX5lydrKNKW+L+U3N3zv12cK/4sTgXwFp9z5nHVpQy9lSkRwMXjAWybtJW1NmLOLxJyIXhyUrI7hK+zLcSHlVoNxeisHpemS6Kw5dyxhrG0G1MEgAPJd72ItLd/yZhAoGCrTgb+n1fIj6IcCcUR/0xNP0YfFG3tdhvmjQA+ODDVhMVpHWbsHwYXR1QM7C0XbNJaiiQZFXhpVn/EurrMm7lpiCLLeut7B6lNUVT0mddD3CHUFhKq0X+34eeA7NgehbMva2bRYBsdKqoMapSvCEAO4gRvZcCv/s+7EAO7EH5An6AcmvA2gmCEUW/UvLvhCGhpBg3v3mzjW1b8kyRFR2JiYVZJ5eMUrNhz167v3joh7/fq+9Z3AomjY8VgICfcvLAZ+lftatU+bOYuhpDGl5Tce0wpwViVraLsPBgkwM4gFxzrGY5H8DBdD9xnIb6v30/KZJY7K6yKXEiGna0W4IIFwofoVdbbMfhEAzTnauXzIaU5v1a/cbtxAVx8ujp9AX6EkQR7f3hze2Gu63enwy5MM1L3dwrOwhvNCFSgb8iEG/ype8mD29FEOnlYhorNExYhVPAxLgqHqvaJDpdO8J9+Eu5h95pb8tmQJAVGi7MGYQxlv2FuW1OXNe/NbWjLTpoQnuxQX/Fesfi0TPNcVm7ot1rakc71npAu88rtCS3445OsIKSeurZ0sYKHsISQfMRlVDTtFM3CUVivv2VnXRiV2mXpLNHH5kNcI4e9XPOXgkX7Daa5xK/0r4JbJQNe3uvTQ1tgS2KLp+CFdJ2e5lVzSfmIGLNNzgAYOlo/0Pq18yEC0Ix4Bn5JvHLeOO4uFT+LggDV9UjQWl1DSA5SP4ukmGMmua1hnKdu8MaY3hHoV2BdnKeBOw9OEgJVWUjxWiKY6kz34am28RsiasiMjYFfx4jefI31PVUAmzauu3g89HthTZINbpA80uE1WJKQE3Gw6In17n0B9MhIDc54qmzOI6s/rexWhaMwFZMsnSLSgE5Icjz6k754qsWC9aMuJAWpikYaeToHrrtDl6509d7AmRE5IgBDbUozggKXm0Q0724uTwo3M8Of9c3HwuvMtylb6aJjatwAsYACxkY79RQkEGqL9a54Ite7sAaWdehN2+l/QkdJWmbixC6o45UpNmFv4azSuHcjM5VoKsBgElY9w8rxP8gxeiTwZPo0A+f/Z0VNjbFPaIn86ar7/oWP7+j9aF/Qnbwn4FfrULncH2hfT9jiqlpWsBGaZCWHSDmUCJWBd5Tw2B4g2O1Gv+/dBssAVIYHFDyxAIaSy4oAOSuMdg6vUDlWc7LeU81h0PqcUEX/IM/+VoHoLtalNfkE7Jn7k8YJVSJny7Ww6EDMt1NPDN/yqoDVD5bfoyLY0XBuvkic= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD59MXJMJDLAvOVr+DDRWXIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJKNAMBnJqr8Y6R+W3NbHNmdGRiEfRP9Dy+/NmLLXjC6P0r1BW4eYoT03JrPa/L0B0wffnS0ez96BFoTHFq52HPDCx6yhEudvoPVoM6iaVy+mvqAdvYbwBrtkyoC8E1fOlWTmX7qt4DuwxgT+wK0yub5gfz9wpLQCj3bimwDPi8jPeKPiggI2bWKz+7QkWvC2ihYFfEuZEsyM4ANvhxNQXIE31UkGbyf6MN51c1gY/++QRe2kEznTbCqfrOdcnPBOVfcolLq8b/gmccCeV7bCGEZisVbSQnNiaPkJ9b5I041HXc2vSx6IODB3F1IH8qANwhkbcxMPGvnUSm+rK ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/e1f1454154a9731b

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\MXFXYGUK-MANUAL.txt

Family

gandcrab

Ransom Note

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .MXFXYGUK The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/e1f1454154a9731b | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAFJSdIuhRRSQvppJlkHPjsXwMUUXnQkrmjTTFNUQlmnZHqtDUJMx+SxZGNik2yyva282Zvq50DRZ2xKFPv89vZOMDq3jiWsA+JzvCm0DAmgAL0cmfZVMbUPeDWNRo60Ax6xoSXZOe80kYA6LaktJ6VuNVjsdHyMsJFD88x11M29+d9Ce7bwfns5hyseI/ZcEA/yTLZ/4WHf2QEjovk+5J9FX6vmFgum7wXaZuDdCyjuHJSo+hYYnFNIRuRRNXDzTS0qcsoQnN4As7i+o5ZVlIJlj2ql8Vm+km/zS9202qqivKAneQgLsf4AtvAzLWphknz+ecHMlhWY96PbqCmVe7QVFzk7GMJFPSgJyfH7drDAZdknx6tcws/0ScXhhtvWhEfdsEtNbDdDhrAHPn0/7IiE/OjXq2M60LfuW05BqxYtx+oyD6LD3v5oibf4kDHGn0QuWxKTC23467Aq+j1jVjG8CWKGTqXLZ9ut5en3XNAIYj4XxT1IPOTUINRrSW4Oad4QN7Sshn8gnnzpVqP4N0ES3Vzg9+I2zoCpQ/mJpXlp323uMNhcaXIjUw1lcBeVErTXZyE0mmovgygKP99cByl6iNVWGj7kjjoJOrBupSgmA4OsC9U5hZjxp41dRlseUa2+zXEJ5upnBu1XCCUgFHAplG/wO1MiRgIRECeNc/boVbh8EoBp8EwFEWYJUE+kjjMGXHsD4XhaHmKL1RXoyV+nuIhRHqzFPNIyWDzS1lXu59GmZXKVvmFxkTKm4K1vlJ4cBwbgPMgMhxsF8RMRhv1Hod30CHfRQq0/FBgQzeBE3dwyWHk5EDUrT9EZrg5vOaAE9GsT3Vi5CQCDs6zM3qEdizzbe7FUR97k0ZSBLTJwzVS2KT9GrEjKK4SFGjCDmu6bThGX8R/OG8Ny79Rs8Dvj8XhuLM5dfcvBchbzayxFujKFYuweuDUQqIWaMSbqcE68Vu8wdr8NgcW/QYPWKO3jkp0O3FzYK20eUayF3ibZUJfK9v0gkvX0tqWWV7WhNoLGknTW1YbVgRLIAmcU7Gf9Bp9AaRxk0qWe/sUzRbsVU3JiC3ZdxrEDAVsik37tgqEEqJ52804seY0g51+PspZd60KNgCgYduroAVqg1ZkZ9GibgEtMYRcpF0VrqflOlHL3QT+h2Egc5W+XUQ/+MTcIaOw56Mcqjc714JwXVPiHr9dtaiX/4S/DCGUcGKR1fSj4xbc4pC0zFtR3ZfTckRNEutzwforMtO5StxOQ/LYLvXjmi0SZGg7Iw2tKmpoQz9CHRXFhoYBy3NpU3em0Uwa47yDhlX9R0pbtGxqQ2SgrYQCW/9UIloUIUcbl0slncHlmAOWvYuAEJ5PtuzE3Qu2GlTpxhXgytwGRaCpUBUxmRJGqM/tzkZX3XwXfZHzN/vFDATo6D3nsL5nvXEldaz91n2Od5XIXuatZRQoIBZDRdkgAgbm/hfRpa4NhylBvU9nJ3vbBYqV17eL1UTW2nH/5NXZlPqsFs0PLsEQM1upmBWLX758AwKYQxknb8b3J63xvw2NRWYIPF1Nmuzw/z0DtzQqvRO70quhBM0IxG1c/h/xIPb/gE7qecFLw9JAvwhZgUxMPs3wobTmNIWxU1wpxsVFiofh/elcmSRBE9b8GBUEi2fQrB9DmN/Gvh761Vb8OPwItE2/5tkOPPhHPzZGvXYi//nH9q1mZRcE/jUSwGsFEzoheNIngvm1rnLj06tWRof6AgsQpfrEuM1FKB3p43VRLrK7TTtu3Ye4w9ekF2E8WZVfjzryf9kdEw6wAJx8HH/cNNNuHuSuAVaULVVbJbWFO+uIz2vorbetSXNY44iieaohnOfv/+1RzdXygTf3oELuh5KKmrvcqqWsJMVqN3s8YGAgRsuK78Ge8lVadwRkF0j3mf2c1LfL1x/o26hWPsncAY2hJwTPzir1sO9dn1KyofKg3zs2bEi2uy2PBcubc4KBfmbdO9r4p/lOVZdaH1aG0v4qp6XY6H4pW149Q/5LrG8KM0s0raOGQOLerI4ugyzA05fUrM0mKf1TVYB3qu+xcDggQpwFM4+Iq+ahmSFTrI1UA+BnmgiHoIZiLL+0qraw2a+m8d5OQM7itvk0yP9bjWlxAJQLIPbYeKhiQfaAsE8XsFzity/mmNgk9AnEatZWMd9zEOiOkqBd9lu7cqP3cXULfx2nTACpwykOqu2jjNhEqOn6XyUXmJzfhkMTnkQ98dSgNDclAAz9VRdCQToMQ= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD59MXJMJDLAvOVr+DDRWXIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJKNAMBnJqr8Y6R+W3NbHNmdGRiEfRP9Dy+/NmLLXjC6P0r1BW4eYoT03JrPa/L0B0wffnS0ez96BFoTHFq52HPDCx6yhEudvoPVoM6iaVy+mvqAdvYbwBrtkyoC8D1filWDmT7q94A+w5gTuwK0yub5gfz9wpLQCj3bimwDPi8jPeKPiggI2bWKz+7QkWvC2ihYFfEuZEsyM4ANvhwdQcIE/1WEGfyf6MN51c1gY/++QRe2kEznTbCqfrOdcnPBOVfcolLq8b/gmccCeV7bCGEZisVbSQnNiaPkJ9b5I041HXc2vSx6IODB3F1IH8qANwhkbcxMPGvnUSm+rK ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/e1f1454154a9731b

Targets

- Target
  
  .
- Size
  
  147KB
- MD5
  
  5210e280ae24357361093de3aa7015af
- SHA1
  
  1c46adc75b3b6e862821ff46a249e00b93e5230f
- SHA256
  
  a7b6ca34c012421ba5977d94a3d8e237b344767ddbcc852308ed16cd7099ac51
- SHA512
  
  58e9bb617363524098b356988b30d9abfd599b2d5b12badc9066ede8a2760a3d8ffe747347f0aa04b61487c517402d38bce91fec7dd1c8b807c1c6a6d823c739
- SSDEEP
  
  1536:o5kud8TPV9vK4DNvGR4Dbll1qKf+30vD932Os4DIHhqiS:wkPT3V+CllQHKuHhqiS
Score

10^/10

cryptolocker gandcrab backdoor defense_evasion discovery evasion execution impact persistence ransomware spyware stealer upx
- CryptoLocker
  Ransomware family with multiple variants.
  ransomware cryptolocker
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Modifies WinLogon for persistence
  persistence
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (150) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies RDP port number used by Windows
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1