General
-
Target
RNSM00338.7z
-
Size
14.8MB
-
Sample
241111-zcr1jswbnq
-
MD5
e9c1cb091e11486b5596436e66d9d481
-
SHA1
0f5969fc4e0deeead63684173aee0bdd4fd9f73b
-
SHA256
e95ea5cddb3d3b12f01e3f9b509adf737f0881d99c2e1dfcf80c55e02ac74e9c
-
SHA512
326c201270f60e9ed6f4a1accab28cce8074b9bb6031376ca5c92333d94f00f31b9f2381c20060530ccd8fd8d78457c17d0aa0d4aa9a7ff707d0ee275b073e1d
-
SSDEEP
393216:ZVUTV3zucfN4p0dmWTyW5xor/b8xwCYTLe:Z6Z3zDfSp05Ty8ozYSg
Malware Config
Extracted
C:\$Recycle.Bin\KRAB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/9666d3472d3d855f
Targets
-
-
Target
RNSM00338.7z
-
Size
14.8MB
-
MD5
e9c1cb091e11486b5596436e66d9d481
-
SHA1
0f5969fc4e0deeead63684173aee0bdd4fd9f73b
-
SHA256
e95ea5cddb3d3b12f01e3f9b509adf737f0881d99c2e1dfcf80c55e02ac74e9c
-
SHA512
326c201270f60e9ed6f4a1accab28cce8074b9bb6031376ca5c92333d94f00f31b9f2381c20060530ccd8fd8d78457c17d0aa0d4aa9a7ff707d0ee275b073e1d
-
SSDEEP
393216:ZVUTV3zucfN4p0dmWTyW5xor/b8xwCYTLe:Z6Z3zDfSp05Ty8ozYSg
Score10/10-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (304) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon
-
Hide Artifacts: Hidden Users
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Hide Artifacts
1Hidden Users
1Indicator Removal
1File Deletion
1Modify Registry
3Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1