Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

2.exe

windows7_x64

10

2.exe

windows10_x64

10

Resubmissions

17/02/2021, 18:00

210217-6k9bf8hnla 10

02/02/2021, 09:28

210202-6r27d31vxn 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2.exe

  • Size

    2.5MB

  • Sample

    210202-6r27d31vxn

  • MD5

    e63e41e15e86489a98dbeb2e6cb44e8a

  • SHA1

    5815d349a375f5cdf090ababcff86b3946ed6c07

  • SHA256

    0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da

  • SHA512

    749d9580ac631916fbc1db207f0f48ed2ff9979f0cd8e352633cd86edfe7bd5bbb6da90b014e0b8ad639f8b9e567498f07353ef907ce2bd6dfa5536d3079991e

Score
10/10
evasionpersistenceransomwarespywaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\Recovery_Instructions.txt

Ransom Note
## YOUR NETWORK HAS BEEN COMPROMISED ## ------------------------------------------ All your important files have been encrypted! ------------------------------------------------- Your files are safe! Only modified. ANY ATTEMPT TO RESTORE A FILE WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered data from different segment of your network. These data are currently stored on a private server and will be immediately destroyed after your payment. If you decide to not pay, we will keep your data stored and contact press or re-seller or expose it on our partner's website. We only seek money and do not want to damage your reputation or prevent your business from running. If you take wise choice to pay, all of this will be solved very soon and smoothly. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. --------------------------------------------------------- Contact us for price. [email protected] ---------------------------------------------------------- Make contact as soon as possible. If you don't contact us within 72 hours, price will be higher.

Extracted

Path

C:\Recovery_Instructions.txt

Ransom Note
##### YOUR NETWORK HAS BEEN COMPROMISED ##### --------------------------------------------- All your important files have been encrypted! --------------------------------------------- Your files are safe! Only modified. ANY ATTEMPT TO RESTORE A FILE WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered data from different segment of your network. These data are currently stored on a private server and will be immediately destroyed after your payment. If you decide to not pay, we will keep your data stored and contact press or re-seller or expose it on our partner's website. We only seek money and do not want to damage your reputation or prevent your business from running. If you take wise choice to pay, all of this will be solved very soon and smoothly. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. ----------------------------------------------------------- Contact us for price: [email protected] ----------------------------------------------------------- Make contact as soon as possible. If you don't contact us within 72 hours, price will be higher.

Targets

    • Target

      2.exe

    • Size

      2.5MB

    • MD5

      e63e41e15e86489a98dbeb2e6cb44e8a

    • SHA1

      5815d349a375f5cdf090ababcff86b3946ed6c07

    • SHA256

      0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da

    • SHA512

      749d9580ac631916fbc1db207f0f48ed2ff9979f0cd8e352633cd86edfe7bd5bbb6da90b014e0b8ad639f8b9e567498f07353ef907ce2bd6dfa5536d3079991e

    Score
    10/10
    evasionpersistenceransomwarespywaretrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Drops file in Drivers directory

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks