Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
75f5c417a7ef4076d5730ce3e847d5bf
-
Size
261KB
-
Sample
201025-dn71c6zr6e
-
MD5
75f5c417a7ef4076d5730ce3e847d5bf
-
SHA1
a4931cd472f217de0056877ddd446c9a6627d1cd
-
SHA256
b2f644f5e3d2040ef24f9ca3a36de0c8606a00f30a0da4fbad471db7d2b2a377
-
SHA512
1fcf09a65466684ade22a1bcd56ff2c7943c5535dc3fcfcfa8a0188b219011cc0f46abafad26bbe7ea9d72253d0c7b8804072cffa1413235699b9e38240e9e25
Static task
static1
Behavioral task
behavioral1
Sample
75f5c417a7ef4076d5730ce3e847d5bf.exe
Resource
win7
Behavioral task
behavioral2
Sample
75f5c417a7ef4076d5730ce3e847d5bf.exe
Resource
win10
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.onion.to/2696-1C4D-B3CE-0000-0DB2
http://cerberhhyed5frqa.onion.cab/2696-1C4D-B3CE-0000-0DB2
http://cerberhhyed5frqa.onion.nu/2696-1C4D-B3CE-0000-0DB2
http://cerberhhyed5frqa.onion.link/2696-1C4D-B3CE-0000-0DB2
http://cerberhhyed5frqa.tor2web.org/2696-1C4D-B3CE-0000-0DB2
http://cerberhhyed5frqa.onion/2696-1C4D-B3CE-0000-0DB2
Extracted
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
http://cerberhhyed5frqa.onion.to/2696-1C4D-B3CE-0000-0DB2
http://cerberhhyed5frqa.onion.cab/2696-1C4D-B3CE-0000-0DB2
http://cerberhhyed5frqa.onion.nu/2696-1C4D-B3CE-0000-0DB2
http://cerberhhyed5frqa.onion.link/2696-1C4D-B3CE-0000-0DB2
http://cerberhhyed5frqa.tor2web.org/2696-1C4D-B3CE-0000-0DB2
http://cerberhhyed5frqa.onion.to/2696-1C4D-B3CE-0000-0DB2);
http://cerberhhyed5frqa.onion/2696-1C4D-B3CE-0000-0DB2
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.onion.to/DCF5-6A71-9A35-0000-0669
http://cerberhhyed5frqa.onion.cab/DCF5-6A71-9A35-0000-0669
http://cerberhhyed5frqa.onion.nu/DCF5-6A71-9A35-0000-0669
http://cerberhhyed5frqa.onion.link/DCF5-6A71-9A35-0000-0669
http://cerberhhyed5frqa.tor2web.org/DCF5-6A71-9A35-0000-0669
http://cerberhhyed5frqa.onion/DCF5-6A71-9A35-0000-0669
Extracted
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
http://cerberhhyed5frqa.onion.to/DCF5-6A71-9A35-0000-0669
http://cerberhhyed5frqa.onion.cab/DCF5-6A71-9A35-0000-0669
http://cerberhhyed5frqa.onion.nu/DCF5-6A71-9A35-0000-0669
http://cerberhhyed5frqa.onion.link/DCF5-6A71-9A35-0000-0669
http://cerberhhyed5frqa.tor2web.org/DCF5-6A71-9A35-0000-0669
http://cerberhhyed5frqa.onion.to/DCF5-6A71-9A35-0000-0669);
http://cerberhhyed5frqa.onion/DCF5-6A71-9A35-0000-0669
Targets
-
-
Target
75f5c417a7ef4076d5730ce3e847d5bf
-
Size
261KB
-
MD5
75f5c417a7ef4076d5730ce3e847d5bf
-
SHA1
a4931cd472f217de0056877ddd446c9a6627d1cd
-
SHA256
b2f644f5e3d2040ef24f9ca3a36de0c8606a00f30a0da4fbad471db7d2b2a377
-
SHA512
1fcf09a65466684ade22a1bcd56ff2c7943c5535dc3fcfcfa8a0188b219011cc0f46abafad26bbe7ea9d72253d0c7b8804072cffa1413235699b9e38240e9e25
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry
-