General
-
Target
RNSM00464.7z
-
Size
24.7MB
-
Sample
241008-x8vefa1hpc
-
MD5
654a8d9ad78eae28285ebbe220a66d40
-
SHA1
568769a38792f94bb52014952ffa12b987bfbad9
-
SHA256
3cbc2e715a7f27f27bfc07e4fed45251608833ae05020fde0d06e8f1187dbe11
-
SHA512
41414ad0f340c83ff61b218670dc66cbc4bb2d8726d0d32e3c6a3da09901b69e49f0361e97054fc9189a726007f04e1f2d6c43debd963653101d0094fbf0eb27
-
SSDEEP
393216:iZ79twuT+C2ZeYslhGR8d3za68YmQd3RZnVDOn3CcSwlT/g2zR0bM8E8:8UZeYslcSd5mmLE3zttD0pL
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00464.7z
Resource
win10v2004-20241007-en
Malware Config
Extracted
gandcrab
http://gdcbghvjyqy7jclk.onion.top/
Extracted
djvu
http://astdg.top/fhsgtsspen6/get.php
-
extension
.hoop
-
offline_id
922IaqlBU1I6IKX6eTDABuH3amHHwoa5qUSb8vt1
-
payload_url
http://securebiz.org/dl/build2.exe
http://astdg.top/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-I6qIbIYiz9 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0326gDrgo
Extracted
cybergate
v3.4.2.2
remote
127.0.0.1:5555
haso.ddns.net:5555
F8GIE4GJ812773
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Driver
-
install_file
svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Install Flash Player
-
message_box_title
Error
-
password
crocro35
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.30.235
218.54.31.165
112.175.88.207
112.175.88.208
Extracted
\Device\HarddiskVolume1\info.hta
class='mark'>[email protected]</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READ TO UN-HACK
Extracted
F:\HowToRestoreMyFiles.txt
Targets
-
-
Target
RNSM00464.7z
-
Size
24.7MB
-
MD5
654a8d9ad78eae28285ebbe220a66d40
-
SHA1
568769a38792f94bb52014952ffa12b987bfbad9
-
SHA256
3cbc2e715a7f27f27bfc07e4fed45251608833ae05020fde0d06e8f1187dbe11
-
SHA512
41414ad0f340c83ff61b218670dc66cbc4bb2d8726d0d32e3c6a3da09901b69e49f0361e97054fc9189a726007f04e1f2d6c43debd963653101d0094fbf0eb27
-
SSDEEP
393216:iZ79twuT+C2ZeYslhGR8d3za68YmQd3RZnVDOn3CcSwlT/g2zR0bM8E8:8UZeYslcSd5mmLE3zttD0pL
-
Chaos Ransomware
-
Detected Djvu ransomware
-
GandCrab payload
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Modifies file permissions
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Uses Tor communications
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
3PowerShell
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Defense Evasion
Direct Volume Access
1File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
3File Deletion
3Modify Registry
1