Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

10/02/2022, 19:36

220210-ybmtrsagdp 10

08/02/2022, 23:24

220208-3dzcssgegm 10

General

  • Target

    98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e

  • Size

    127KB

  • Sample

    220210-ybmtrsagdp

  • MD5

    c731cbf04c68430f31ff0ab1b0b1f054

  • SHA1

    f3c14e25584475f01f417e3ec45474aa8de4400d

  • SHA256

    98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e

  • SHA512

    1f188fa26c4554f4c3fdb73ea7c105b76a354f6444f4977eee5fc0b31df9b880118e912bb86bdf93874c55b081713ae51b32115ab600bdeda0ec62e61f3b7b61

Malware Config

Extracted

Path

C:\Users\Admin\RECOVERY INFORMATION.txt

Ransom Note
YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. CONTACT US: [email protected] [email protected] YOUR PERSONAL ID: 23261502C164 �

Extracted

Path

C:\Program Files\RECOVERY INFORMATION.txt

Ransom Note
YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. CONTACT US: [email protected] [email protected] YOUR PERSONAL ID: 9A7B3DF4C928 �

Targets

    • Target

      98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e

    • Size

      127KB

    • MD5

      c731cbf04c68430f31ff0ab1b0b1f054

    • SHA1

      f3c14e25584475f01f417e3ec45474aa8de4400d

    • SHA256

      98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e

    • SHA512

      1f188fa26c4554f4c3fdb73ea7c105b76a354f6444f4977eee5fc0b31df9b880118e912bb86bdf93874c55b081713ae51b32115ab600bdeda0ec62e61f3b7b61

    Score
    10/10
    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v6

Tasks