General
-
Target
2024-12-15_1f1bd29d45c5ab7b60bd03e37e3e2c01_karagany_mafia
-
Size
250KB
-
Sample
241215-dwwxystrgq
-
MD5
1f1bd29d45c5ab7b60bd03e37e3e2c01
-
SHA1
6c36fc36ba6f88dd4dc22b5801a14d61c70f44b4
-
SHA256
7da47ee5bb9211fa7e07b158c4e9a425a69cbae6bdbcb7200e09593d74d37e37
-
SHA512
5cc9b9a5e0dfb6f03bdff7828cc637443f54b16c977e8c3998573fa9fdb268a4202d2d87a92371c8ea5fb37b6eae293ae760bf17b3c6f89446a8821ceb1ce522
-
SSDEEP
3072:7HvXSC+AQalUoA/INvHc7aEBN82RSVRnoxhsI/5muYDAuBauuuuuuMuWauuuuuuw:7D+A0Z/IlbctOR4hsI
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-15_1f1bd29d45c5ab7b60bd03e37e3e2c01_karagany_mafia.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2024-12-15_1f1bd29d45c5ab7b60bd03e37e3e2c01_karagany_mafia.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
C:\Users\KRAB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/2d647aca69586c53
Extracted
F:\$RECYCLE.BIN\S-1-5-21-3756129449-3121373848-4276368241-1000\KRAB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/2e47ffacd2ccbf3
Targets
-
-
Target
2024-12-15_1f1bd29d45c5ab7b60bd03e37e3e2c01_karagany_mafia
-
Size
250KB
-
MD5
1f1bd29d45c5ab7b60bd03e37e3e2c01
-
SHA1
6c36fc36ba6f88dd4dc22b5801a14d61c70f44b4
-
SHA256
7da47ee5bb9211fa7e07b158c4e9a425a69cbae6bdbcb7200e09593d74d37e37
-
SHA512
5cc9b9a5e0dfb6f03bdff7828cc637443f54b16c977e8c3998573fa9fdb268a4202d2d87a92371c8ea5fb37b6eae293ae760bf17b3c6f89446a8821ceb1ce522
-
SSDEEP
3072:7HvXSC+AQalUoA/INvHc7aEBN82RSVRnoxhsI/5muYDAuBauuuuuuMuWauuuuuuw:7D+A0Z/IlbctOR4hsI
-
Gandcrab family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (329) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Indicator Removal
1File Deletion
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1