Overview

overview

10

Static

static

1

RNSM00360.7z

windows7-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00360.7z

  • Size

    11.8MB

  • Sample

    241107-vc2grswdkl

  • MD5

    3b3df61b319595a6d020bb3108c6e4d4

  • SHA1

    51b6fabc559aafa428152cdf6ac0a5124ed21884

  • SHA256

    0f3cc2234920bde4f395122c66bbdf0e8848e671258bc0e6916012df0c50b52f

  • SHA512

    ba514c5571643116eabf6066c5ce8d6934e2a9bfa8d1a46fb7652ab170f95974a3cbead13dd4751958609602b896ed3f3babc98020275d7b8a4d13e377e1cab8

  • SSDEEP

    196608:yK4MSZ4Ugo1sEEHsTvgocbxzcUAnXdZ7Mak8+ALRDXdtra9/WCdAi2+yj1q:yZMynEHsTCSntZYak8+A7vra9/WCTLy8

Score
10/10
gandcrabtroldeshaspackv2backdoorcredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarestealertrojanupx

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-3533259084-2542256011-65585152-1000\OXRBGQWT-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .OXRBGQWT The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/be7eaa0421cffd61 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAGlq1BMDO4rHEf1AHJaTvYRfoVTurUliB4DA4QT0LKF5XHFrZmo+3VBycb5BJIwVWur1HuhQQyXp3gPgY6lRm74LMNovIwKlvkDRz/e8Cc7BCar71yLxSf0IxgpguYzj+nWkY2JMlv51wSuPY3vLd0dGBcAXKsxnBQjIkbuDhh249km0wjcNaHWDfy2pUQSFkYqM0YSmv2J7zltJl6jrC4rgh45s53GjhuZRFiGhJZFSiyyh8pta6pTnxRb+xoHQWdbUEXURnlvM6OtUiA+hKVILVDgmGQnponf9jvleJ26FYzeMpi/iWkkVRk9knJZgfc1zefAN9NEAgsf1GGorosJVR5hjB+0SjWKG04MKo0eIuUc3BZVO8tgI3z22so3lUexm/luL7kXrbOyuLDqlSXxJg0iCZofykJzV+nbFyoHl0hO+MVMd8kYCv0v9SET/EFQ/0wAd2q281l598C2uI1PyIUr/bCJ9vVZoGIETZleTbIYJKCdtQZZu89XinK04nzuDSNryYSGyU4pEo/ckbuReyUrrW6/Ovl51KiNVn1WZ0gRJ/SpnPl3PESTSDA7khBXdpb8aHEuAlOE1TAHdxf5POa2v320pg4+G7WDj5oT6ilf2a4P2GcOHl78xgXgRDWeBjSWTNjR+jVaGF4KlOAdUbUCD5gAzyjox1eeiJ8W3pxo99PPMsz1ftqUXTTCXmizZr7RmxS53BHPz/oZHLHrSGvP5+Cptn2yHPegb/cry96If/KtG8W+3OATEI4odgNAVP2ucRoVyCG4/UuVR6+Jq8HqZaVIgv44FU+u7f+Ck2li3KQw2aKkJFnLSQ916v0hcw4PzAtimMyszKrXg1rUwq8CxQsPcrIjGSPnsAxQL3s4tiBTQrjMW5Dw8lkitx6HmMZp13kmF7yGNm6YY400/bOs3Uv6UPeMuI2fnKnHL+SmfFH8EFcZAtjpXm2aSs34bjyjjjTUMlpzFGkNPJb7fHJ1izewLmcR6cHQBS/MohTZlYkMRhD7dWESsEXU6eSnsNHv2o/FVGkyYnak6BEDP4crzZKFyTM7U47GfP+6qUGtlx8mDn0iY5WRywbMCD/FotsWfHETlwJt4nK9NaK7/VBn+Zzn72OwYmqDgEZ7Wywpz31uHIfbd7hqtnI3CgFRMbFT4V91GmuLWnANI5PS80Chsh0kWPGW3C6E0vU6rlz/MkIpX7rI4lnOMKMxIH8AGbZu/bjhwEUVzrjYODYX6URyfJR9d5t2X2NDK6gTOoPlp3/4deTq6Umy3RT2arbS1g457Ue/vci8trE3tLlNAzAdRJ5hBocBqmcUj2OlpvksR+4QL9/Hs2TETY6ytEPfcYFezHaBIOgdicK8TnR3KIh+yYQ0mAccgN7fkyN4tlJlW2YR7dMD3PlX6G4SZIcIgImjQitVCYrj9eiUStJj4xISO7KQ6lGl8pQML4ohS4iNdk4KMswIDh3DP4HZQnCmgH5p7zC5mGrdSG3/Qa6SHfAn4RgO1nGKHjzUvZeW+XXYGYZTapHeR9Bjqb5QiI1QrqsqfZwQgHs6L39CbY0SDs2UD4kyZkUKNX2fffnTlxmZfgEn54tViuCbXjPQuaOROnHV8gtawGOo0UWZTulcWxJX2Puu8q7mF1YB0E/zJ8Gi1CXo91ifcxYmP4Mf/2ps052K9+pQ52SO42oE0lFAVSWwsU394EpUkt14SvmsJa9fdB+gKCThBAaKG7RJ1SpbHcbkVMkmeUOiHWhMXqU4/BAqjuIbJ7muQc1Y1XQycqM7whPogqVEAAxoLEZVo5VJvZ3Jk6y0PNqVBgP6IxoslxU0U1tk1MldK6QhSW/gABeDWlAWq0qcG8b2DZfhwtZNtuspkYlyM2eM5YUd3WsksI2mZsvbTt+jmyl8JzKgCcBHToMi9eFlPrz+ynUScgh0ShKP0aHzBKEmz9LFEEUz+iPrmOyNbc/1TNubx8yIOQqLUt1eDuxLG+knWXb1hWLY01k5/Rh+CZ1c+9lYvtp91ga7SifOvqZunK3eZa0jXRV6J8iZdqcyKn4Sjw1cheAu7QVd2dNqokqcnuRjAgoieIGhQ5KDU/d9HYkbNFEP/1oDibadLV3ZIBW4zL9NcR9NSqJlIuKY1o+MXP0Vugm4sK81RkcNHXD0M//uKfCjSb/QM67Zj4K2eHhKBgp66igpVNk+GviTt05Qz+eqj0DEoi/ZPiwgHlKRKMiU1n9JKQlXYSxm7rIZhPahAqu3ndS7Wh/M= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZPTodRv3YV7ndWsbfcTHiHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+BisbEnkU/BteL1/zc2EesiGtlYbVrQBnHt+xGCEd8boCcE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg70ZijpDBFE3vHLMOao1wQZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMbJHwHowOP7+LRYsPy4knV/fu67PJzMP9LnZDh5szqewLRaRtAf+EbjLWu+IPXpBeLdQo9FRha1KO2vpgy2mFLQkzlAtXfjb5QmECiQ== ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/be7eaa0421cffd61

Extracted

Path

F:\$RECYCLE.BIN\README.txt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a _miracle_ and get _your_ PRICE DOUBLED! Or start obtaining *BITCOIN NOW! , and restore _YOUR_ _DATA_ easy way If You have really valuable _DATA_, you better _NOT_ _WASTE_ _YOUR_ _TIME_, because there is _NO_ other way to get your files, except make a _PAYMENT_ Your personal ID: 5CF589934426A13AB8DE878552090501�������� For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://xijymvzq4zkyubfe.onion.to 2 - http://xijymvzq4zkyubfe.onion.city If for some reasons the addresses are not availablweropie, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - Video instruction: https://www.youtube.com/watch?v=NQrUZdsw2hA 3 - After a successful installation, run the browser 4 - Type in the address bar: http://xijymvzq4zkyubfe.onion 5 - Follow the instructions on the site �
URLs

http://xijymvzq4zkyubfe.onion.to

http://xijymvzq4zkyubfe.onion.city

http://xijymvzq4zkyubfe.onion

Targets

    • Target

      RNSM00360.7z

    • Size

      11.8MB

    • MD5

      3b3df61b319595a6d020bb3108c6e4d4

    • SHA1

      51b6fabc559aafa428152cdf6ac0a5124ed21884

    • SHA256

      0f3cc2234920bde4f395122c66bbdf0e8848e671258bc0e6916012df0c50b52f

    • SHA512

      ba514c5571643116eabf6066c5ce8d6934e2a9bfa8d1a46fb7652ab170f95974a3cbead13dd4751958609602b896ed3f3babc98020275d7b8a4d13e377e1cab8

    • SSDEEP

      196608:yK4MSZ4Ugo1sEEHsTvgocbxzcUAnXdZ7Mak8+ALRDXdtra9/WCdAi2+yj1q:yZMynEHsTCSntZYak8+A7vra9/WCTLy8

    Score
    10/10
    gandcrabtroldeshaspackv2backdoorcredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarestealertrojanupx

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • Gandcrab family

      gandcrab

    • Modifies WinLogon for persistence

      persistence

    • Modifies visibility of file extensions in Explorer

      evasion

    • Troldesh family

      troldesh

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

      ransomwaretrojantroldesh

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Renames multiple (104) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Command and Scripting Interpreter

1
T1059

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

8
T1112

Credential Access

Credentials from Password Stores

1
T1555

Windows Credential Manager

1
T1555.004

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

Remote System Discovery

1
T1018

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Tasks