General

  • Target

    2024-09-29_246a010eebecb1a79764ab6419be43bd_gandcrab_karagany

  • Size

    139KB

  • Sample

    240929-z7v1pavfqa

  • MD5

    246a010eebecb1a79764ab6419be43bd

  • SHA1

    06cc1753fc2f07811ffd081115a95b3b4ebbb0b1

  • SHA256

    d4d18e74329b130973548fea288bccf243920d8c1ead47d2e7d15932e3b1d8dd

  • SHA512

    26ba462be7337f7248973b74a259aa452558ca07ad2b18815a2e081b44671fe3b889d34e8a93da8d61f727fb0c8582ac32eb84918ae7292614d48a9a702db7f3

  • SSDEEP

    1536:JLMVCWvZ8URtqOz3d+1Qs6H9Mk2e3E2avMWC3yMgYxf6+okbdWsWjcdpECaIxWzB:VM9ntZ3s1QJdnU2SQdf64ZZSCaIxWecx

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\DVYFWLMB-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .DVYFWLMB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/5d0411276196a980 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAALdWPkXlF0QmQ+kpYN1xs47rLqlp24ZAeuv6WH6K9G3rG0gmJcwYtVN9PbIimCkrj8VK8HSZuG7jJwiXgcDrzVoFk62j53S2RUiSSZuXSGFJ4UZrhSB2HweasJK4kCJyihR9TSQgpayVUmBVJso3Y4Wqd7hawfLj45Drb5nYp0gw29SOSgpmmBuSKwDjmJ42Lrt0EynXTNc3mWeYEaA2/W3UV/44KwQvVMkJOw3ZAA/s/uBa30iUJRfT5+SCx7QI1Sl+daQ4RKA9/je8F61reyxyZMUvb0pwfIUndd6OfJQ8wm0LHSI8yrcXUEjM8YfdwJUhzm9zQfupq00GQ4zP1yHXgp/V686zlX5Jb+lBbT8IuQlBVXyjWzCUvOamqYtbHdehydwwk2Ha+3DPkIKXAd6AZelSg7rQVQabuXmGtOIgmR6XcBZwJ/k1duf/gFCqbXLG6WVgZVYWe8aP4S6yq5MGN9OlSh+E2BBHpOZoMVXU8UdtMDfoybtz4sYI55sFfRLPubkawnisD0zWULVCPEknW8iDWuKBlXBaR8A7aKO5qF7P/woa9j/rU/68KiTTP8VS9DSZ6COS0Ymf9iDSAC4/jYao/5eaBeFrkwBAD810W2lJ8fjSBM3hpmRA7junm85BMNJXOCnnW6QPjkLtjpw3D+nyWmUo8O8BTpIjKoV4d/XRy6WTP+9ctaviLNgebY2SGGM70OKSLkWsZUpLrXYq+cS4P9gBRYH8++uAdJ05CP4tlCY2Z/k81vmGjrVCGomP99t3416fk1L5SgmoMHJtBFjqbVWEkSWxWFxBi+YlvtHpdLdHL3Vpup1L6N7qwNAAw5IlVBZ4ZWGoVUhm+CpC63Ssxx1ubxLtBiENuHHPnVw222d+T3qosOwj+OlBsMV+Tq8Hv2ivkZxM4NVANQSVuUXXJ9QUYoIgcCV1cxad2LDgDDxuzDFeZXGm15dCqS3Rw+bb7YoDhic43wL40rTQhAa4zHXeMhxSwQ0s+APWTYjbbNdfZK/iG84c3jpI5lD3RYMrT6ndYdw8iRdWxpkZnF221HNNSEuKL7NQHRwPNOku2t1mf+NFC6ktjLD2a+X/TYD89aXauXLzyrEISYB+RDRp8rdyKR5jDUxiuvTcOo7MZuq2/kPbQPoDSakzRooMB4t1Rvupb0eIEIXpwYYBuvXv4hC9Yj+5KhxjaREXSTfznBO4OXo+M6RCYphLyGXP7U7brCv2JWwWRF47L2JKM4qMmL6LTQ72Znmaw6nE+ZWBereOjZ2sd+uEj+f6xGhRGo5VAzCOogkD5M7vHjgmp5jf1vLmyruvh2Y7aCjfSkEJMq/c0AcsgFMcyZmNG17R6CR43ZJksMi3msidrAenaP0R2pJQmG5i31sLIOW7J/eOVDfKFQDTMZTu1We1k1FsyY4zxzpqO/vEFfQX6+Y/PvGcwT6b/OViDIvAlYYNQVLBF06OqEcBawHAcbaj9P/hlqJZ3OdypSRQAlUJLeIoBkaBNbvOrYKzw2QOf3C703DToOmh2y9D7z5iOfLzz60Ji4smEfzGg7FnR/3edsFxw3JcLzczlqOiqfsPfxSMXgU9vcrEaApY8CI6bexzlm71/hCdNHucVlYu90+zeMI0/qjedvzJ9PLKNX9XV9T3P4BkXByyXfHQdwrqr6yGI6JE0k9akPiC7jQl9kNCIn+MC1yWDmJXim1iyQYIf6e/m1stNhGhO9re4U/wtpJYNMfGE7a0YiLLSKp+wT6C4VaZheQZPHHisaJSnYYwXnmzcVXGhvgulyTkopVBzvbbxzCZZyKpL/xNY749HeNcHLL/Hs5PdgrdmaSNQo65rUnhi0ku79uaaEmmEME0e/euIJgj/5Ha+H7EX6YDHovOlbxzLZS51cyGgptYQKyhCO7muMktyLxxPT8Cyr0PMM5vkYEWHMjtdHfy2z+hWSH0xk2BNFxO5udv4fUD2Z7pd9jIwyjSJoaDsc7SrgUeASHHHQCBVOdls05QJNT6UMJiazLzbEH2TqAeRdGhCdM+K+lGrRMN8o2frbUuuhxwrLaZarijloNLP+RlleGFnxvEDeJIiNFgQR9fTo4S6WQBv5L6FZ78RNd18vp0N5tjSHk0HyETh+E36FlFY4ePVKB5TtndzkWUwMuDc3EFnEZAGAAx4k1dnpyE8ba/MIRh9VxAro83meKF76masPLXDNAT635z3QAa7d9MYTdGLgoH12NTNqrB8rVQJ6gWBgn3CZafFns1hI= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZNToZRv3Yd7ndWtbfCTGSHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi5rEmkUjB5OKl/2c2E+shGt1YbVqKBiHt/BHfEdEboScE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg72Zi/pDxFL3vfLOOao1wQZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMZJH8HowOP7+LRYsPy4knV/fu67PPzML9PnYTh4gzvuwKRb5tB/+FbmHWs+IUXo5eM9Q19EZhLFKM2u1g1mmDLQgzxwsJfjT5T2ECiWME ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/5d0411276196a980

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-945322488-2060912225-3527527000-1000\PYLZITSY-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .PYLZITSY The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/d06120bf69520d07 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAFtUO7TeI23AtIfUXZvRdKSqeZPGHEhDLLvswgfgfBfXJKkEFDdGSN/70u75UUGop32YDKRVxZBe2A8ez8SKMi9kDW8H4fcXB1ai7j+4xJD0GH8XNtkVxtkqCxOOU2tX9sJUPZe+kLiAEkUphJBhMbS37R4GbcRyAsGrnwvwgJAFo1usOzVS/Ra/AiY5PZsjt63mxEgI41fPk7L/FZoZqNJz/dzRQQRBFseduemQRtlE1bNa3QOFCbaxijA4wa9LO6S5+o7m76OE7ayYEeoAYiITTRBGE+n9jFobjY320ONjV7l4y4hJUfiEszLWifCJvlG83q11Q9StUM9vLu5/BVvAVxL/zyy3U9Afi2rAdSNdFVR+I+iPmzHPOeS3B+a6JXmUhEExTjarA/3ea8iaXbSCJ2bAy2MhagteRtIBGQ9c5ISbqj1PXYxy8kp8WwvWyzKnKdEGHQcWHdbYWo/7Exm4IYeK6WYYPDQCz6tVdlW3yX/Sd3cn3bngz4sGQsSP03SIHc4oDs9VM8kiYL7F70pfB58tSLr6KOyc8ZRwfpolbKbLTESH2ddjWUhtstIlZOUL5CYItrbg4llLCRVxhvEV5yHGHva7XehKusWP491J8XXXxHbxfhInEFA5P13buFXa82+oXGEQETDDaH8StgUl2BfXLUpaJki9xzVe8VlxSPYrNUcMMBEnQryCGh3MbzNb8D0yO5SIvIMKcUolvoLj2oCXsbBoeq5bBHkDidGPh9G9iMC2E2EXsvLNGT6pTQqvWL2Qy+vVX0F/DidqagnB7A4nlts2p8a9ypE/u9AyHOIAhnLl+iZ1bul5wUPugp5X7bS2i6p26qX8qdLnFZyLHx/OYXPuCmSAdELd6kVyGnM8I0t5DAfzmA5LgSko/Q1/KDbIbF6xq68Rkmz8cbZUcLK/lXbLt9ySfjUr1TWuPtTKfr2frO1tKEs1gAs9qZh8XTsSr84SCZzPKpkeEyczSzA5qHyGThbJZJqVRsr5bn9QAsJmC/WZ14AXlnAss51u7BvIsW9dVNWvACg/Y2yxW8/6XZWD+N0DqFgMg8UT/tuugsJi1WX6o+/i/bVKfkphTOtgd44uFeKbu2dUBdzcCcoRahNWdjlSb5xVcHKDvZ+4JVSXCHY22WJUZL6tLXsUY8NmnVHrEj89OFSkOzFr4xb9UIy6KHlrB8UQaUTHOOQjbdOesnwajWtfNkBsKUi2kHOnUtgwKJseQCFvXq+6rmIOvWXAQ/Qnaej1LGJRMtEgDiCgaiMBkvCQiumttnJg7yvmt2OAUZj9X753mX8D5bO68+2CNua+FZKxP9slzVSzkf5WLRo2ra7NcqdXkxOUOAui5Yw2+4z3MPi0yMTtE371+VDn7tQt+tmDxt5q4vnhqez+vzTfl16DnHJAYwWDU1EYCf9aMvephbvWLCP1vGOAeYntRcynJ2Be+rxSS2fEsN3Z99mHvBjaydIPFG0SgjCd6l2r5I9UeYDFk/aFQX2HnMINui1pdmPk1Zvj/ISyFQ/Jb5HZWjotTlIK2eFmxYF6dZI+SJRajc7EkJQvOGUW7Ne2cbcuKzsCmeLVPNJ8V4gB2rmZoiwsgH2hUlzj2jEo2sjZ6yU43xk5hEb2yj8ljOS93v4EvgPJjTy8wyaH6kPdLwdAjdOU6aU6FNdMH9zwyNJmbJDISZDIMpvfXCqNMKc0B5QMnhzXWy8ft3HOHDO/7W0DbB9UKlMauTtnep0rUBZ1i7eHXzQuO1wIecWiDGkzswi/sIGveLabD0szdUwAjxNUfoXXkA6xzPhA3LlkChpKXQcDHHBasZCP47/vmNivxHQZml7Bih5pQ2yVFaryw3mzUtzi8ULVsgBQ1AAFUWuV+SWJUY6Unzx4lqn2vF9QASZCm/ljQeEeMX09plfneqR2eWaYkLni29aENdHcj6E6lf+JvlYtFYXh2rs3h26OYafSaaQP1Ts3TBDlZFH1W+8nXj48Pf8C08s3pWCOq+F8UXATUF5hR9BqnTrllPhkE05uOLi2Lc7v7kH8M+htzBJvC9XDSuzxNtLddpivEMndV4Toc8yGPgak+a2FgAarfdjn9PqIf/StYuuOUSJ2HHUT4boU2prtOvQv4m40vxPIacwqGG3wdLUXw6ripaQa45AHcG04BBJMgi47ZBQbvw+zc7TQ03LvREntO+D+Fhlts/oj9pw+QCMvMmy7JRr2xCLkwNSDG6gAM9OvSGk/W3F3x3boS4KepurEHlw= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZCTo9Rs3YN7mhWt7fHTGiHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXBtOKk/2A2EOskGttYPlrVBiHtpBHTEdsboSdG4tm4PKb3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pDxFM3vTLNOav1wIZMXQVRleKYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9XQ3DC2qZAEuDtLkioBZ9MNJGhHpcOdb/HRc8P54k7V/HuibORzJL9NXYCh8oz7exeRbttC/+YbnzW5+JOXs5ePtQu9FxhOlLD2rpghGmLLQQz3Qtdfjj5QGFTiWwEn7JfT+zb ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/d06120bf69520d07

Targets

    • Target

      2024-09-29_246a010eebecb1a79764ab6419be43bd_gandcrab_karagany

    • Size

      139KB

    • MD5

      246a010eebecb1a79764ab6419be43bd

    • SHA1

      06cc1753fc2f07811ffd081115a95b3b4ebbb0b1

    • SHA256

      d4d18e74329b130973548fea288bccf243920d8c1ead47d2e7d15932e3b1d8dd

    • SHA512

      26ba462be7337f7248973b74a259aa452558ca07ad2b18815a2e081b44671fe3b889d34e8a93da8d61f727fb0c8582ac32eb84918ae7292614d48a9a702db7f3

    • SSDEEP

      1536:JLMVCWvZ8URtqOz3d+1Qs6H9Mk2e3E2avMWC3yMgYxf6+okbdWsWjcdpECaIxWzB:VM9ntZ3s1QJdnU2SQdf64ZZSCaIxWecx

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (285) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks