Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    64a45b42204cf4412dc2891368a4b72670642a008b13f3d99f6d3d42de95a842

  • Size

    297KB

  • Sample

    240809-qd4aja1ckj

  • MD5

    314558f9a6da39ffd12cba6c1064b3b8

  • SHA1

    2c416cbfa8aeee687534b7c0888d411c0a837c59

  • SHA256

    64a45b42204cf4412dc2891368a4b72670642a008b13f3d99f6d3d42de95a842

  • SHA512

    41fdd3cff2e4620c0dfc7adca6a985ba5af69c1e72be409ae8d206534e32e1d3d34358f3f90521f57969c3cdf391442f4dfeba2a174b3abcbe72257d36706947

  • SSDEEP

    6144:ZUL4NWKzjkaphkIOe2q4EVSh/Bw/mhMgAB:ZUsNWK3bT4EneIB

Score
10/10
gandcrabbackdoorcredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-656926755-4116854191-210765258-1000\FNAVAXK-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .FNAVAXK The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/a5a76a1c8c3645d3 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAC9vGqbOv+VxlXbDH9NkK/xGs+KtFuThrJ/oBczN2UxwaOGs1ZMKxQ78aoJXBkJsTdndIey9elFhQ6xdZJhWpbzKG1oodvolw6nYsPNfCP2buVZ6wl1J4IcTOUq1RUOPSiLjBiPO6W0ncvPWbCdnBHzW5xUxeSWEZ1BT9lENS/zcRGj+PnEg4mYsgb0LT/XB5LgU6Y0kwdGY9LmyZqCAnSWBzK6/UQB7yGApZCxmLNx8qCXFATqiojgQKBWdAokZwIA5jHujdMj2VfPeTYhx9u8IdHOzJf0f1DJr/rM7sJFvoa2AMehv13kLS3rvN5sA1b1/QX9tJPzMVQbPskdgpyHW5jJbixq7X6imI7d7wYN+qpiFgH2R46T/Het6eYCSUrtztmSgVKO6+9IO7gYvbQmc/xvHUR5pQH6zHfHsnBDlnk2Ra3nOwmu1pe9aEZ1VPgjNTaYg1iGROluqW7mDiM4BPDLD8DCqVSTn9fkGCDeg0qJ0OZjNvnwSJm3vyoCzX4m141eirZV88CDfpE5WURPx/nWWiKStH66e+JYiiLJSJxOXwZIBSY6Mx92Qs3pE4ABVae+SAUfZVeR+I4m8mC+8zalpRzizcChTwdY3eK7baRMHLzQNa8TgNM7TIDs1pUmqJ0ZwECCDGUB4yMlJU/QM4UpqRSZ8+f9KL95K8AE44dYzL4uQ3p3gKBSp6/751WWOQ/hPGoM6W1uzVBSB+2sEl7II+8x6b1n35cx5q1spST5qEe8u6QgfUnWoN6Qaf651zEfas91WnAO+JXGMMMiIMUEguV1g6X0mIHHABXykEKyqtrYGQLdfodzL1dVhXwN8E1wcqM0xQZl7sgrtcRr1OtYM0QHjsgnhz9h3aZ2JVPxXETDDbk8tCF+Mz4ElY7Sg4K1D3Hs6HJFQX2CLbKiU0I/Po1um3AYFsTz4PQgP9k2IBrXYgn63HCxNDtJSqXlkNr9XxqXgFSRn5cfl4xmpsOMEa5HxOaizjov72+qhZwv8qrylwlEF78C8+ks+orWg4Ugx+b0u77cBXT8lAbsQ90+Mo5P0k9tVI3LXK6CiJ6uknHQ05uW55e7xxgLnT1JTc1Gwt6vsk9aNMxrPOdWMCWI7Rn9tQaFHxJVTUz5VZz0VMuHg/3yTwEd8y3AEMfFS/6pIYchP9mXq/AMYYnxy9Iy1ofnAIdLl6/NcMtQDfUk+cWgn+prB6os7xVF9ed2uaJV4PSUUHUIVro/+qMoeEBH5bFhMGLzrkG8WlPPPPLYncgWQVr5x76cP3ZmRjQ1TD2nDqGOEwVLjz8zUETr43tJ4mp+NRUI//G2AFGc1Q7XdNEs11LGJM4q3B7QPbH+dAWL3hi7kTVSaCBn0quGxHUub5+1iBwV0NLcx93lF7Lby8ZSq9/JfVv+6PQWQBXQ1XGIGoDdDoFgshAfvcmoxf9+8UILTAbfWrpyoTEqwO8cMBiKnva2Vnn/rW8wLg/O8Avx6DXk7KNaUQLdnUPrf3sR71F/zfDd5WPU+2UPYU6mmeK7piuF8jzE+PHVfRj99fomz9uYJ2SzYOKN4DUsV0MGDvr2zBWh+CBYOYpoZ8wS+2KhYXl0Y+dLyFZuCV07NrGIWKM36Jdx/QBO80izHXQilVj9IpjAKzEqSqoqfaqaCWUgBDfpo+hBXqKOhBSF/C7wFW3ErHx/k6nbyTtQ5P7he6KLjuYTM4aTfjoiu1IUb+bAfRFatIlR3PxW+23yRQcnl9Tb06KOB/76Q5prPh9TkSrTMNqfXaV5AnsqeUD+IlfumWoj0NmoChYMlkgkS9Hug9cR1w4f1nnzZbGqMIx82vq6Qf09poIbirlkI1StWd6DYzgcJzo5JBV9ZuH/3mQCztmRl3HJPRB8VK4VnIXywPwzLB0IFbRRnGm15cw9YfcNMq3L6B1krFS6QwDu1q00GnAuiVKG4aO7iVr5bnIKBPtBSUAWvJwubqSb6Ps6tJ7Ps88IHNIWpclxPV1oOstQRKueC9JoLIIEZMCXljDXnLdqMnLLVJNx54NPEUjvIhSxXb/7amicNpW+KZDN/+xI8ciC3yWtbgrhiH93peC8O69gNU6hQEkH/eTCOWMX0sJCmN2OWjZJ0TQg2NBOBlRsOQvRVNnNetCrLE4cxTndYtrAD0npEkMbrCAiG+gmP92C5j9GfbkC/FFwVUa68UVfdd7mGxBc5J55BAwLB/ee81hf4cENdYbWyVS+cMerIdTQbr/OcbPXsf6qO+Pjh/Vo= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZYTpZRrHYb7nBWorfRTG+Hhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXBseKh/zc2FusgGopYbVrQBi/t/hHVEd8bpScX4o24OKb3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pDxFM3vTLNOav1w4ZMHQURl2KYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9XQ3DC2qZAEuDtLkioBZ9MNJGhHpcOfr/KRdwPsok9V+butLOnzJ/9bHYIh8cz6exNRettGP+Pbn3W/eJIXs9ebdQm9EdhJFLd2qBglmnMLQYzygtAfj75QWEAiTIEnbJST+zbSAE= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/a5a76a1c8c3645d3

Targets

    • Target

      64a45b42204cf4412dc2891368a4b72670642a008b13f3d99f6d3d42de95a842

    • Size

      297KB

    • MD5

      314558f9a6da39ffd12cba6c1064b3b8

    • SHA1

      2c416cbfa8aeee687534b7c0888d411c0a837c59

    • SHA256

      64a45b42204cf4412dc2891368a4b72670642a008b13f3d99f6d3d42de95a842

    • SHA512

      41fdd3cff2e4620c0dfc7adca6a985ba5af69c1e72be409ae8d206534e32e1d3d34358f3f90521f57969c3cdf391442f4dfeba2a174b3abcbe72257d36706947

    • SSDEEP

      6144:ZUL4NWKzjkaphkIOe2q4EVSh/Bw/mhMgAB:ZUsNWK3bT4EneIB

    Score
    10/10
    gandcrabbackdoorcredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (264) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks