Overview

overview

10

Static

static

3

64a45b4220...42.exe

windows7-x64

10

64a45b4220...42.exe

windows10-2004-x64

10

Resubmissions

01-12-2024 02:42

241201-c7g3haymhp 10

01-12-2024 02:32

241201-c1k6ksykhp 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    64a45b42204cf4412dc2891368a4b72670642a008b13f3d99f6d3d42de95a842.exe

  • Size

    297KB

  • Sample

    241201-c1k6ksykhp

  • MD5

    314558f9a6da39ffd12cba6c1064b3b8

  • SHA1

    2c416cbfa8aeee687534b7c0888d411c0a837c59

  • SHA256

    64a45b42204cf4412dc2891368a4b72670642a008b13f3d99f6d3d42de95a842

  • SHA512

    41fdd3cff2e4620c0dfc7adca6a985ba5af69c1e72be409ae8d206534e32e1d3d34358f3f90521f57969c3cdf391442f4dfeba2a174b3abcbe72257d36706947

  • SSDEEP

    6144:ZUL4NWKzjkaphkIOe2q4EVSh/Bw/mhMgAB:ZUsNWK3bT4EneIB

Score
10/10
gandcrabbackdoorcredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\UOJATWFS-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .UOJATWFS The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/11c0a739633ba1d3 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAMdNTrxlH3iW2Z30Pnn5klNPxtMcHBYIMKA4iwEky9dndlEw5BR8lTdSGEpboQfTaxy83fxatxEPi2ybR5DAiGMFHUCSFV4mHetcZG6Efvw748B2gs9AYqmB4UaAleX6dJV0tUXWKmm9E9E+qswnjGUMjY0D/BEGAnF3fDGe+xlk0IRQ8tfSgMEuCRCyjSadksf0qnzl7fvveaHK3cSZ1hrwuzFWMQvqoEKhoTK5ENqxcfvsYoz7ZTdXe2jSwjknr2A6IfBQtN3S1ZYeTem2J0X4SfCU8Zu3XBM6VkKX3G6L16NMKeLAb/MK7SzVoQLDPnp2vj/jO30vCSxc5ZRZCIEiy9u6keQ8E8A/caxll0gJ+K3thHZ8p55/sHZbw5/EQSnJry0/IiHryaS4AbZje/eYksTWNdYKNkaYEe4Arudh0DRzNlWp6+ApfI3mYgnJwwaSe+FkICGtjSTMVvAnB0fAf5B9rAg/eGJM1wubLTTBldlGTE47t1DQS6kkLNcNvUh/5zWoLSCGlubxDMOiFKlegvedqFIUthzOGuyn334VEt8cCEkZfRVWenkIApfNxdIXucPC4oSEcWFuK7OG5maIUjIQUWuixtVhIs84K4DunNcwQC2VZwxM1gqz6NDIm+x61A6c4j2gBRxPwlo2koX8A1/0szYQhtPJEeypGhUqE15mZ5sgsCyMn3EBnkTUVltzvX45XSc87nYtq5Ea7cEjzGGl0yesOVZAXL/QhQEEOswRcOluFZAGsLSg0oaeXOS3yg3ntg/Rduku5JBDo30oGXfrqGgOAyu2dcRwfrAy2aTH6EO8WUndCnADNAfqDsiKGKSXSYaHwQmf48dQFEEcmvMcGJ6M/JsFlBLXsbi0DjfuurX8yf655sDEmP/7Sb3np8nIDcQIPeOxFfuKi9Gx0YoPnIG8j5X7JEQ6IJOU+AGrAthWVgKeTubldBplpMi+2MN3YilrVajN9cnf1QOyIKtN0ETDfRhJVhgYc0qgDYCQAcmFDkYFXpjTqcHyqMiDrwQviUkgPYMacoACsxYoO8h2JToWaJ7U3Cg4wouqqTWv+CLL+wfhXuAmhF9gvjtqC/9JXl9VXQxDcn5glX64K5N5YiQK3jYU5tGGoXZSJkG0nW6wG/qJc5l2gCIJM3wwbi41ecNr8nxG9AwL7N3aJCWU49jwhohtZ/FI3C5DwKwgb5w4fYNu3t2ZGv8aU5zrnbqUAyaDmPXD0TyyJ84rBwZKMCAPCc96Zwh1Sh3STrNMk2dgcL/QQHr+tlhaKE/zfN8mydXWnFGe4102QC94nBxcwCl/G1J21hIhllXdb2iKexpyP/mAc5PUlPjfIfcP9QnQQ4Wqkuerua4YtPJfrR7irM8/PCHhFaVe8uHc+n+gCSb52Vdpz712fdcU38oDwdoIdehklU2BSNTMQ7HF5X5soPmbf8anWo44pxR5iXdqYrqGjX5XvRmG7f4IxecRe9QsNxZ+VZ+JyECtHe1blpiUgkCP+V5T8Lncss7XkS+f6lidn20F7nu0GnUhWHLPyk/BoxJLQBkrG/lk4wnOdoDoaMGUwNifVwr6DlFBXaUgCr4nMyYb+qwPGe7WlgVGlHZcJoza4wHhoREWepfnG5gk0WxH2Fj20CI2Z1i0/6XqoRtZyIjLkKJD0OTU4jgGsTiUT3KPyStx83/tY+njkAyJoAuhH3R2/7lHd0RSnBioN3fSMgRJUmebI/N/iV6o8yriZX8IasqpLH/ET+4LEkBSKir3KwqxB0tB7AYW8twzhv543S0ZRCAIMwX4a8ETrroka6O/c9GzUfOs3xR5ZWQ7nRrQ1Vqm7rRyCGPuJehXXj8+HkGTzkvF0I2debI1EdtDV/eu+g8bBPqbvXP2vYjNaxU9eUOTRqpjzfScCPGRm3Q86y26SRPYgMM82rOSENCq8Ie6RTSD5Fjsy5q6shNE0qybrm2XGzHkobWYGyeLcR3L+oK2oQ6WFH/3ocJ50KDAweHefegsgOhBGloVhlyvjnXXv/sbwDPtbCthtD88bc+F5w0C8QF8EF8zy3bFsxIWSH/hajdoMfRyVYAisR0z38X/Yp8FptbedJl3tzQoCqUJsKa4G7/foHubSNu5M+y1TfDoRmZG/9twtouKEykFWscLrU6YWaDFHUaB88ti0T7EN3f6ZaN1csSy2BZCGRRc0Y8TOoAhFZw/jhAV7xwCU1AigiG4lcscIjRdPFHn9IiAzUZ5a7QF5ZVn+aSQ3PE= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZUTpRRtHYd7m5WsbfSTHCHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi4rFzkRvB4OL1/2E2EusvGt1Yb1qABnXt/BHXEY0boicE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg72Zi/pDxFL3vfLOOao1wQZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMb5HxHp8Oar+NRZwP9okRV/rusrPFzM/9OnYAh9gzrewdRb9tHf+DbmDW4OIcXpVeLdQr9FxhPlLL2u9gwWmeLQ4zxgtafmr5TWEPiWMEkrI= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/11c0a739633ba1d3

Extracted

Path

C:\PerfLogs\BHRSW-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .BHRSW The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/cc82fb97126ae94c | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAD+Rp9ZohpLUTvC1UuPlZTMA/HDHKwmr56vgrLN8TNfWpHGKTP7nHVlPBocNgpALLZ1TsLOETh8IjOjb9I9zHn3yRzAJzL8n61BmAJ2VhrFusW4YlTAN3ZJNy2mNchPdII5WPSgBnT0qWPXymtmwK+XO8wwS2IV+/AfVIiKF19rVJWlqfhf+9QvBcJubZ9WnIG2F7eL33ZrY0x5y67H4K4TQnTSSDiU+JQ9LAp0Tn92fs0pklaRoUJV/IQQjJQ7FmmEYJXFiXZok+tdyCBajgG2dArtaBrcc3hKXfwshxmtc4DZin+9/MOTrTFL8zbxyAaEJ9CW7eMw4Sw3EQ2rNr15x+4NGlmAIzN4tWYOyAkS93YPW06uA+ZspfaN/QTeM99XSusn8dW/WPZghErUOas0pdpqH6KW5DYBLjM1Si2GJh9zRtfbhek+QuzZhF8YsL+XrnuMfVSBwDd5zVy75q/Bpi+x78nqBKlKYQRSY1IOGZl5pTOy+6mY43TwaGXBzGM/7ItEC3wiqZXFt6WWpLUamKAK/AdjJxb7/RUa6CLPmLp0ziR++MxGM573v00Nvxe98kHmbuEYva47GOFsz3XMYZNIxoEi/1nQjyaSiTfOYLYG4bSsa+IoMCcLwB1oS+shYPalpGGQztJFpW+DtQcqf6Nkhy/q1XsoutrmsK1Vi4MfwEp2mVU0E/Vb4VpUPt5o6v0pb9bAI+5fjr4/Y7aM9IUFdH+Pfv3tESHgNipM+y4Bg0CI79lnZZph4IQlX1vJ56+x55mvfujIhkMZgc4/YO7PnDgctMpjSOI8/P5QnuiWP+eRAd30T1RGRrRWigoZvKmhBM3efe9aBLSZ5UFnLFyCYTTlpgGGG7l9ArhaSC9/xAiMkjl9tSwkYrBLavgb9JN4Bx8mq2k2S8fUm73/zd5GX/GCQKoQsoQNdQCjG+Rs6T6WLKioqEjoDNJ4g3KdJ9yW72oJMQTjNTjO8ddT7Z1Y5hDcpBE2FyErRMHzK7BunAjtFs3JSP5Nsbu8tWh70VV3Th+rnQ739IVXKvp7UqZB3uGyZURsFS0cEcuB1JHuG2TTR0Fx0BqTnHLKbEz7JeOUemSprWG+5bJ9N0WR26UM//mB7Yd/jBmvaMczgFLTprp9JOTrL5Veyc22DpooYBFQ5JIxn1VaXkqSMqf+XyB/QHvlBYNGd0/MpMgGUmkSuS/BLWiV2MotQ9JUABEBtRAsouVQm3OXtGY1ntF+xVBe1Kxa5VI2qii2XT7DaMzOx3JLK2P02xoacPvMBEfEX/uCKS1w0xfE/esRFzsConC4v3vRSA9oXbaLTSUR2rKFJf2ZZqVAcL0ibiGDrDviu21L83p5My00vvAu4N//kB+xXd3+Cu0EB+CP7PeoxC4Y2kOTzjEkiWC2zEslMZNqFv+XyfZhtug1X1nfgxDcAJkuGmRfhXIfrkDo77S3p9UdfKdr4TNnKUfWjXtwJp83qk2cCBfznP1CKsxJByp9ARbcuRlgyC7wN1Dwg5+VEMrn9S0qpWKtEBoqYLhY0a0xb3wpS4pL8qsbq6/axwAcUjfiC8QEPkfPfqGu5bGUXKncK+WUX43jfQBMttk8d72TwV22HKrU7ZVa6U5d22McVKX6s/QnN1ulUN8Ql5rhJgsGCnFroJ2LgXIN30yA49BTdFfdR+zBtSUS5BUXx5Rptwt/IqvjPh7mj3BRw5QtqlHI+XWhK65LFbr8gyQ+AFkCnl6XxsnRdtmZJ89SWiMWQlPEBgJ4lhKcMNIMEb4v99Kfnm9llHzrpejxEVvdZ6+iza7u5owUVLcXCCEZQqa/Ab39KofVzjDZFT7TpOO7M3MJWtsGWs3AyiK9wDIGE8FdKMZ104xSABM6HWzHGdS3s3OtdXOoqGrgSpIn4Fagx4oj/mvMlJHMKfHTyxy3tycJPLq3YyHF+BV2W8743OPgKx7IfFR1XeI7S87xVpYazY9WG6RqWNMFhZVrLA6xbxpNcZU4FcwTuH+F0mjdFHuWGBFPYN+1CwdRARIL/3FvKfHfwrrqqR8TfwNjcr5Qw9Mqr2qH+HfyqP21l7/c9fdRKymI+/cX/Mc2ow+zq3+7Q9zv5jltUYXKsBBW0NfDIAcF3BXIaVzDR1nst2nUGlr33/sf8DhlXMAlAH/Hm7wI2lHFJGpl0Yrh9eTLB/RshjhNfwgzCTH03YLSbIpmHbmZmFOTEU/DE4meUdyN1tDyphOvkmzgMAI5jQS8AliUeTEq68ss= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZYTo1Rs3Yc7m5WtrfETHKHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXBs+L3/242E+twGolYZVqEBibtrxHQEYgb9Ccb4t24aKb3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pDxFM3vTLNOav1w4ZMHQURl2KYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9XQ3DC2qZAEuDtLkioBZ9MNJGhHpcOfr/KRdwPsok9V+butLOnzJ/9bHYIh8cz6exNRettGP+Pbn3W/eJIXs9ebdQm9EdhJFLd2qBglmnMLQYzygtAfj75QWEAiTIEnbJST+zbSAE= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/cc82fb97126ae94c

Targets

    • Target

      64a45b42204cf4412dc2891368a4b72670642a008b13f3d99f6d3d42de95a842.exe

    • Size

      297KB

    • MD5

      314558f9a6da39ffd12cba6c1064b3b8

    • SHA1

      2c416cbfa8aeee687534b7c0888d411c0a837c59

    • SHA256

      64a45b42204cf4412dc2891368a4b72670642a008b13f3d99f6d3d42de95a842

    • SHA512

      41fdd3cff2e4620c0dfc7adca6a985ba5af69c1e72be409ae8d206534e32e1d3d34358f3f90521f57969c3cdf391442f4dfeba2a174b3abcbe72257d36706947

    • SSDEEP

      6144:ZUL4NWKzjkaphkIOe2q4EVSh/Bw/mhMgAB:ZUsNWK3bT4EneIB

    Score
    10/10
    gandcrabbackdoorcredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • Gandcrab family

      gandcrab

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (282) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

1
T1490

Tasks