General
-
Target
2024-06-19_9c59dda483facf2ffc068442e0dfe91d_gandcrab_karagany
-
Size
91KB
-
Sample
240619-ye94gatalp
-
MD5
9c59dda483facf2ffc068442e0dfe91d
-
SHA1
8151fec10267140e71a20f2a348d7b125cd7f4b8
-
SHA256
6e85c16717cd78817d56611151b9180eb06ca48268244a649eaf30de6e16bc87
-
SHA512
838dde099a696a6c327dcad0718bf1dd01fd2d2a35a438b1fe1576cfe32c2e9188b4c1a3a480f7dd1c4dd683ffaf9bc931e4b8b379d9cacc3b120b03c1e61a2c
-
SSDEEP
1536:WGdg6A8xXaHuX39Ev8hGijIa7DdfQZblriWU8BFXOsWjcdS6ItKT0S:JZqCZjIGmrLrJItKT0S
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-19_9c59dda483facf2ffc068442e0dfe91d_gandcrab_karagany.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-06-19_9c59dda483facf2ffc068442e0dfe91d_gandcrab_karagany.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\KRAB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/9dd94b9e4673f81c
Extracted
F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\KRAB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/ca083b2b468e870
Targets
-
-
Target
2024-06-19_9c59dda483facf2ffc068442e0dfe91d_gandcrab_karagany
-
Size
91KB
-
MD5
9c59dda483facf2ffc068442e0dfe91d
-
SHA1
8151fec10267140e71a20f2a348d7b125cd7f4b8
-
SHA256
6e85c16717cd78817d56611151b9180eb06ca48268244a649eaf30de6e16bc87
-
SHA512
838dde099a696a6c327dcad0718bf1dd01fd2d2a35a438b1fe1576cfe32c2e9188b4c1a3a480f7dd1c4dd683ffaf9bc931e4b8b379d9cacc3b120b03c1e61a2c
-
SSDEEP
1536:WGdg6A8xXaHuX39Ev8hGijIa7DdfQZblriWU8BFXOsWjcdS6ItKT0S:JZqCZjIGmrLrJItKT0S
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (257) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-