General
-
Target
98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7
-
Size
373KB
-
Sample
240605-a6gn8shh37
-
MD5
22f058c63433aead41e7802c6925999b
-
SHA1
cad8e3ebe1c411b0c745dd978df033585fc3347c
-
SHA256
98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7
-
SHA512
ba7e3a8b4ebf279bf3ed5aa49d858842e409f3bb3adaf974de62dc7ef39aed2bd0d301da3c294b372a77b2f2b4695736adf89f36c0db803742bbefcca4b5de44
-
SSDEEP
6144:OjCffjC1ipPpp1lOeRV1ZTrhUoP4g+rBi+GLq7oy6hkTs3jELrTlBUqgQaV:O2ffG4pPphBRVjeoP4gPzIoy6dzErrYR
Static task
static1
Behavioral task
behavioral1
Sample
98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
C:\Users\KRAB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/a95fd0036adeb9cb
Extracted
C:\$Recycle.Bin\KRAB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/9c4adcb9ee990aff
Targets
-
-
Target
98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7
-
Size
373KB
-
MD5
22f058c63433aead41e7802c6925999b
-
SHA1
cad8e3ebe1c411b0c745dd978df033585fc3347c
-
SHA256
98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7
-
SHA512
ba7e3a8b4ebf279bf3ed5aa49d858842e409f3bb3adaf974de62dc7ef39aed2bd0d301da3c294b372a77b2f2b4695736adf89f36c0db803742bbefcca4b5de44
-
SSDEEP
6144:OjCffjC1ipPpp1lOeRV1ZTrhUoP4g+rBi+GLq7oy6hkTs3jELrTlBUqgQaV:O2ffG4pPphBRVjeoP4gPzIoy6dzErrYR
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Detects ransomware indicator
-
Gandcrab Payload
-
Renames multiple (281) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-