General
-
Target
2024-09-29_246a010eebecb1a79764ab6419be43bd_gandcrab_karagany
-
Size
139KB
-
Sample
240929-z7v1pavfqa
-
MD5
246a010eebecb1a79764ab6419be43bd
-
SHA1
06cc1753fc2f07811ffd081115a95b3b4ebbb0b1
-
SHA256
d4d18e74329b130973548fea288bccf243920d8c1ead47d2e7d15932e3b1d8dd
-
SHA512
26ba462be7337f7248973b74a259aa452558ca07ad2b18815a2e081b44671fe3b889d34e8a93da8d61f727fb0c8582ac32eb84918ae7292614d48a9a702db7f3
-
SSDEEP
1536:JLMVCWvZ8URtqOz3d+1Qs6H9Mk2e3E2avMWC3yMgYxf6+okbdWsWjcdpECaIxWzB:VM9ntZ3s1QJdnU2SQdf64ZZSCaIxWecx
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-29_246a010eebecb1a79764ab6419be43bd_gandcrab_karagany.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-09-29_246a010eebecb1a79764ab6419be43bd_gandcrab_karagany.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
F:\$RECYCLE.BIN\DVYFWLMB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/5d0411276196a980
Extracted
F:\$RECYCLE.BIN\S-1-5-21-945322488-2060912225-3527527000-1000\PYLZITSY-DECRYPT.txt
http://gandcrabmfe6mnef.onion/d06120bf69520d07
Targets
-
-
Target
2024-09-29_246a010eebecb1a79764ab6419be43bd_gandcrab_karagany
-
Size
139KB
-
MD5
246a010eebecb1a79764ab6419be43bd
-
SHA1
06cc1753fc2f07811ffd081115a95b3b4ebbb0b1
-
SHA256
d4d18e74329b130973548fea288bccf243920d8c1ead47d2e7d15932e3b1d8dd
-
SHA512
26ba462be7337f7248973b74a259aa452558ca07ad2b18815a2e081b44671fe3b889d34e8a93da8d61f727fb0c8582ac32eb84918ae7292614d48a9a702db7f3
-
SSDEEP
1536:JLMVCWvZ8URtqOz3d+1Qs6H9Mk2e3E2avMWC3yMgYxf6+okbdWsWjcdpECaIxWzB:VM9ntZ3s1QJdnU2SQdf64ZZSCaIxWecx
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (285) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Indicator Removal
1File Deletion
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1