General
-
Target
2025-01-18_c1f1804f2b2b147f4b83617a4759b3ba_gandcrab
-
Size
93KB
-
Sample
250118-3n6vmaylgz
-
MD5
c1f1804f2b2b147f4b83617a4759b3ba
-
SHA1
e5e8b97b0f2aaef264b00cad079e02f234a69ffa
-
SHA256
ebbb39823cd6eaf3b4ae7737d7f6bb687efb6b9a588e5a0a3478c28b7455ad6f
-
SHA512
60480a6805e1af87f6fe403b8753878c0bba013cfb63f794ef7f88c427ca78288657cb6258fc9c7bab8ce2f3a14b020d8a535d651ad347702f9c473f11492a95
-
SSDEEP
1536:Yw2p3ieRXCkxEoSXf6GizDhp2keW8PaoYEJOcrHuTc+N:fSyex5yoSPmzKkeW8iEJjHU
Static task
static1
Behavioral task
behavioral1
Sample
2025-01-18_c1f1804f2b2b147f4b83617a4759b3ba_gandcrab.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2025-01-18_c1f1804f2b2b147f4b83617a4759b3ba_gandcrab.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\YMEGCMQ-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/5ef3d88d3a921045
Extracted
F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\HMOWXFBZTE-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/8c29f114da0c7d47
Targets
-
-
Target
2025-01-18_c1f1804f2b2b147f4b83617a4759b3ba_gandcrab
-
Size
93KB
-
MD5
c1f1804f2b2b147f4b83617a4759b3ba
-
SHA1
e5e8b97b0f2aaef264b00cad079e02f234a69ffa
-
SHA256
ebbb39823cd6eaf3b4ae7737d7f6bb687efb6b9a588e5a0a3478c28b7455ad6f
-
SHA512
60480a6805e1af87f6fe403b8753878c0bba013cfb63f794ef7f88c427ca78288657cb6258fc9c7bab8ce2f3a14b020d8a535d651ad347702f9c473f11492a95
-
SSDEEP
1536:Yw2p3ieRXCkxEoSXf6GizDhp2keW8PaoYEJOcrHuTc+N:fSyex5yoSPmzKkeW8iEJjHU
-
Gandcrab family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (270) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1